Our application uses Servlet 2.5. We need to set Session Cookies as Http-Only. Servlet 3.0 has provision to allow cookies to be marked as HttpOnly. I am not sure how to have the same in Servlet 2.5. Any help on this is greatly appreciated.
You might need to explain a bit more about what you are trying to accomplish.
From the Servlet 3.0 Javadoc for javax.servlet.http.Cookie:
HttpOnly cookies are not supposed to be exposed to client-side scripting code, and may therefore help mitigate certain kinds of cross-site scripting attacks.
So, are you looking for "Cookies" that are accessible by the server, and not the client? If so, use javax.servlet.http.HttpSession and store your server-side only attributes in the Session. None of those attributes are ever exposed to the client.
In preparing for battle I have always found that plans are useless, but planning is indispensable. -- Dwight D. Eisenhower
Another comment - it looks like some app servers (like Tomcat 6.0) support HttpOnly within the context.xml. Another option is to write the Cookie from scratch (rather than using the HttpCookie object), sending the HTTP headers to create a HttpOnly Cookie.