HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it). To support HTTPOnly attribute on JSESSIONID cookie, it's requires web containers to support servlet 3.0 and JDK 1.6 and above. In this document, it's introduced how to enable HTTPOnly attribute for Strategy Web 9.4.1 in tomcat 7 (tomcat 6 doesn't support servlet 3.0 so tomcat 7 is required).
1. Add the following line within <session-config> tag in web.xml under WEB-INF folder:
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>
2. Save the change and restart tomcat.
