How can I set session cookies to be Http-Only in servlet API 2.5?

Question

How can I set session cookies to be Http-Only in servlet API 2.5? The Cookie.setHttpOnly method was added in servlet API 3.0.

Could you clarify whether you mean the JSESSIONID cookie specifically or cookies in general that don't live beyond the browser session. — kschneid, Jan 24 '11 at 18:31
It really depends on the AppServer. See my previous answer here: [http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps/1088009#1088009](http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps/1088009#1088009) — jt., Jan 24 '11 at 18:22
I realize this is an old question but I came up with a solution - see my answer for [How do you configure HttpOnly cookies in tomcat / java webapps?](http://stackoverflow.com/a/14610452/9822) — Jesse Vogt, Jan 30 '13 at 17:52

score 1 · Answer 1 · answered Feb 10 '11 at 09:26

i need to do the same thing...

i'm thinking of doing a servlet filter, reading the cookies with request.getCookies(), creating the raw cookies (in a StringBuilder; not the object Cookie), appending HttpOnly and using response.setHeader("Set-Cookie", rawCookies) to put them back.

one thing to be carefull about is taking other properties, as in domain, path, secured; not just name and value

will let you know how it goes...

PS: also thought of taking the header with request.getHeader('COOKIES') and using regex to append HttpOnly, but it seems that the header COOKIES will only give you the name and the value property

score 0 · Answer 2 · answered Jan 24 '11 at 17:52

I think you'll want to create some utility code that will take a Cookie and a flag for whether or not you want HttpOnly. The utility will create the associated string header for the cookie which you can pass to HttpServletResponse.addHeader("Set-Cookie", cookieHeader).

How can I set session cookies to be Http-Only in servlet API 2.5?

2 Answers2