How do I set the HttpOnly flag on JSF/Richfaces

Question

I'd like to add the HttpOnly flag to JSF/richfaces cookies, especially the session cookie, to up the level of security on my web app. Any ideas?

Answer 1

Something like:

response.setHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");

might work in a Java environment. I am not aware of a JSF-specific way to achieve this... sorry

This seems to be not an easy task in Java.

Answer 2

There may be something that allows you to do this in your servlet engine. This is part of the Servlet 3.0 spec which is yet to be released.

Answer 3

I suspect that I'll need to use a filter to add a response wrapper, which'll add the flag to all cookies as they're added by the framework.

Answer 4

FacesContext facesContext = FacesContext.getCurrentInstance().getFacesContext();

HttpServletResponse response = (HttpServletResponse) facesContext.getExternalContext().getResponse();

response.addHeader("Set-Cookie", "yourcookiename=yourcookievalue; HTTPOnly");