Hi, I need to enable the session security cookie to httponly.I tried to update the context.xml
<!-- The contents of this file will be loaded for each web application --> <Context useHttpOnly="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> <!-- Uncomment this to disable session persistence across Tomcat restarts --> <!-- <Manager pathname="" /> --> But it doesn't work. "CONFIDENTIALITY NOTICE: This message and any attachment are confidential and may also be privileged. If you are not the intended recipient of this e-mail you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you are not the intended recipient please telephone or e-mail the sender and delete this message and any attachment from your system."