Jboss 5. HttpOnly session cookies

2019-06-05 10:15发布

问题:

How to configure JBoss 5.1.* to make session cookie HttpOnly?

<Context useHttpOnly="true">

Doesn't work.

回答1:

Have you tried

<SessionCookie secure="true" httpOnly="true" />

as explained here.



回答2:

I'm using JBoss [EAP] 5.0.1 and adding

<SessionCookie secure="true" httpOnly="true" />

in <myJBossServerInstancePath>/deploy/jbossweb.sar/context.xml

<Context cookies="true" crossContext="true">
    <SessionCookie secure="true" httpOnly="true" />
    ...

works perfectly (thanks Luciano).



回答3:

Add

<SessionCookie secure="true" httpOnly="true" />

In $JBOSS_HOME/deploy/jbossweb.sar/context.xml

<Context cookies="true" crossContext="true">
   <SessionCookie secure="true" httpOnly="true" />

Make sure HTTPS/SSL configured in the server to work.