In any web application, Cookies play a very significant behavior of the application. Whether user experiences, personalization, analytics or session management, Cookies are part of every web module. The importance of cookies in a web application is so critical that privacy regulation put clause about cookies & web apps. And, Every web application must alert to the user.
Importance of HttpOnly Flag in Cookie
If the HttpOnly attribute is set on a cookie, then the cookie’s value cannot be read or set by client-side Javascript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie’s value via an injected script.
Should Every cookie have HttpOnly Flag set?
There is usually no good reason not to set HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie’s value.
So, Setting of HttpOnly flag is always conditional & you should evaluate when to set.
How to set HttpFlag in cookie?
#J2EE Servlet API
Cookie cookie = request.getCookie("myCookieName");
cookie.setHttpOnly(true);
#Java Enterprise application WEB-INF/web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
#Tomcat 6 In context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/exampleApp" useHttpOnly="true">