I'd like to add the HttpOnly flag to JSF/richfaces cookies, especially the session cookie, to up the level of security on my web app. Any ideas?

There may be something that allows you to do this in your servlet engine. This is part of the Servlet 3.0 spec which is yet to be released.

FacesContext facesContext = FacesContext.getCurrentInstance().getFacesContext();

HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();

response.addHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");

Something like:

response.setHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");

might work in a Java environment. I am not aware of a JSF-specific way to achieve this... sorry

This seems to be not an easy task in Java.

I suspect that I'll need to use a filter to add a response wrapper, which'll add the flag to all cookies as they're added by the framework.