Hi,i have the below details about the problem.Please go though it and let me know if i am making any mistakes.
Environmnent Tomcat7 Windows7/Centos6.3 64bit jdk 7 Mozilla firefox 25.0.1 CATALINA_HOME/conf/context.xml <Context useHttpOnly="true"/> <WatchedResource>WEB-INF/web.xml</WatchedResource> </Context> Since i am using tomcat7 i dont think i need to configure useHttpOnly="true" explicitly. Java code which generates the cookie response.setContentType("text/html"); PrintWriter pw = response.getWriter(); Cookie cookie = new Cookie("url","testing userHttpOnly"); Cookie cookie1 = new Cookie("Mr.x","testing the cookie"); cookie.setMaxAge(60*60); //1 hour String sessionid = request.getSession().getId(); String contextPath = request.getContextPath(); response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; Path=" + contextPath); response.addCookie(cookie); response.addCookie(cookie1); pw.println("Cookies created"); When i verified http header,i am able to see the cookie values as Set-Cookie: JSESSIONID=660BA8ABDC53B0B91AC53A533410FB2B; Path=/UserHttpOnlyTest Set-Cookie: url="testing userHttpOnly"; Version=1; Max-Age=3600; Expires=Thu, 21-Nov-2013 19:30:14 GMT Set-Cookie: Mr.x="testing the cookie"; Version=1 And My browser could access the cookie using "document.cookie" and i could alert the cookie values. With the below lines,i could see the ;HttpOnly along with the cookie information in the http header and the same java script code return "undefined" which is what i wanted. response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; Path=" + contextPath + "; HttpOnly" ); Conclusion : As per my understanding the the cookie should be HttpOnly with the way i configured my context.xml.No java code is required for that.But this is not happening for me.Please let me know if i missed anything Thanks in advance.