Setting the HttpOnly Flag – Java

/0 Comments/in /by

For older versions of servlet

Add the following on cookie creation

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

For servlet version 3.0 or later

Add the following lines into web.xml file

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

Reference

https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *