Earlier I was getting HttpOnly for both HTTP/HTTPS protocol, but missing secure attribute.
In order to add "Secure" attribute, I added secure="true" in server.xml ’s Connector port syntax as below –
<Connector address="10.23.17.69" port="8000" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="UTF-8" server="Dev" secure="true" />
Also added "cookie-config" in web.xml as below –
<session-config>
<session-timeout>120</session-timeout>
<cookie-config>
<secure>true</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
Now for HTTPS protocol, I’m getting ‘Secure’ and ‘HttpOnly’ flags as true for Session cookie as below.
But for HTTP protocol, I'm not getting HttpOnly attribute. I need "HttpOnly=true" in case of HTTP protocol.
Please note, my context.xml's "Context" element already contains useHttpOnly attribute as following -
<Context useHttpOnly="true">
....
</Context>
Any suggestion is much appreciated.
Read this article I think you have incorrectly set the session cookies attribute.
It should be: