Setting the HttpOnly Flag – Java
For older versions of servlet
Add the following on cookie creation
String sessionid = request.getSession().getId(); response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
For servlet version 3.0 or later
Add the following lines into web.xml file
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config>
Reference
https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly
Leave a Reply
Want to join the discussion?Feel free to contribute!