I am trying to provide solution for a security vulnerability in an application, using servlet 2.4, struts 1.3, JBoss- 4.2.0. For this I require to put cookie type as HttpOnly. I have found that
1. Starting from servlet v. 3.0 Cookie interface has HttpOnly attribute.
2. Starting from Tomcat 6.0 we can provide a useHttpOnly context param in context.xml.
I also found that for older versions the workaround is to rewrite JSESSIONID value using and setting it as a custom header.
I tried setting useHttpOnly in <JBOSS_HOME>/server/default/deploy/jboss-web.deployer/context.xml. But I can still access the cookie with client side script.
1. Since I am using servlet 2.4 I may have to rebuild the header to put httpSessionOnly.
2. I am using JBoss 4.2.0 - that has embedded Tomcat v. < 5.0, it might not recognize the httpSessionOnly attrbute.