Jetty 7 is old ... VERY old now ... It was supporting Servlet 2.5, which didn't support setting the HttpOnly option in the cookies. The result was that the only way to set that was to do it via the SessionManager directly.
However, lots has changed since then. Jetty 9 is Servlet 3.1, it has a javax.servlet.SessionCookieConfig object http://docs.oracle.com/javaee/7/api/javax/servlet/SessionCookieConfig.html In there, you will find setHttpOnly(boolean) http://docs.oracle.com/javaee/7/api/javax/servlet/SessionCookieConfig.html#setHttpOnly-boolean- You can choose to use the ServletContext when the webapp is started (or starting) and configure it using normal servlet initialization techniques. Or you can use the same object via the SessionManager. webappcontext.getSessionHandler().getSessionManager().getSessionCookieConfig().setHttpOnly(true); Joakim Erdfelt / [email protected] On Wed, Dec 23, 2015 at 6:06 PM, Benjamin Jaton <[email protected]> wrote: > Hello, > > I am trying to grammatically set the HTTPOnly option, I found this: > > http://stackoverflow.com/questions/12968217/making-jsessionid-cookie-be-httponly-in-jetty-7 > > So I expected to see a setHttpOnly(boolean) here: > > http://download.eclipse.org/jetty/9.3.6.v20151106/apidocs/org/eclipse/jetty/server/SessionManager.html > > but no luck. > Any pointers? > > Thanks > Ben > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
