In any web application, Cookies play a very significant behavior of the application. Whether user experiences, personalization, analytics or session management, Cookies are part of every web module. The importance of cookies in a web application is so critical that privacy regulation put clause about cookies & web apps. And, Every web application must alert to the user.
Importance of HttpOnly Flag in Cookie
Should Every cookie have HttpOnly Flag set?
There is usually no good reason not to set HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie’s value.
So, Setting of HttpOnly flag is always conditional & you should evaluate when to set.
How to set HttpFlag in cookie?
#J2EE Servlet API Cookie cookie = request.getCookie("myCookieName"); cookie.setHttpOnly(true); #Java Enterprise application WEB-INF/web.xml <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> #Tomcat 6 In context.xml <?xml version="1.0" encoding="UTF-8"?> <Context path="/exampleApp" useHttpOnly="true">