I need to add the HttpOnly attribute to all kookies that are being set in our system. Fortunately, I believe the only kookie that is set is the sessionID, which is set automatically by struts.
What would be the best way to set the HttpOnly attribute for the session id Kookie in struts? javax.servlet.http.Kookie does not have a setHttpOnly() attribute (probably since it is a IE 6sp1 or later standard).
Edit: JavaRanch seems to filter the work c.o.o.k.i.e so all references were changed to Kookie.
Struts does not set the session cookie. The application server does. This is therefore an application server issue, not a Struts issue. I'd suggest looking at your specific application server's documentation in order to find out whether it supports httponly cookies or not. Since there's no support in the Java Cookie API for them, I suspect most application servers will not support them. [ July 20, 2006: Message edited by: Merrill Higginson ]