Our application uses Servlet 2.5. We need to set Session Cookies as Http-Only. Servlet 3.0 has provision to allow cookies to be marked as HttpOnly. I am not sure how to have the same in Servlet 2.5. Any help on this is greatly appreciated.
From the Servlet 3.0 Javadoc for javax.servlet.http.Cookie:
HttpOnly cookies are not supposed to be exposed to client-side scripting code, and may therefore help mitigate certain kinds of cross-site scripting attacks.
So, are you looking for "Cookies" that are accessible by the server, and not the client? If so, use javax.servlet.http.HttpSession and store your server-side only attributes in the Session. None of those attributes are ever exposed to the client.
This page has details of setting it up with Tomcat 6.0, and doing it by hand - https://www.owasp.org/index.php/HttpOnly
But, consider - is this truly safer than storing data server-side via the HttpSession?