2

I have Tomcat server on my localhost and on deploy server is Jetty. I use Spring 2.5 with Spring Security 2.0 (Servlets are 2.5). I want to secure session id of our users. I have used these directives to set Tomcat to use HttpOnly cookies. 

<context useHttpOnly="true">
...
</context>

And all works fine (on tomcat). Now I want to do the similar thing on Jetty. Is it possible? Or is it possible to manage it only in application context?

Thank you very much.

Jiri Vlasimsky
  • 684
  • 6
  • 13

1 Answers1

1

I think you should be able to easily upgrade to Jetty 8, which supports Servlet 3.0. There you have a standard way for that configuration. See this answer for how to do it in web.xml.

Community
  • 1
  • 1
Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
  • 1
    I can´t upgrade to Jetty 8 due to fact that server is in a company and administrator won´t upgrade it :( Any other idea? – Jiri Vlasimsky Apr 23 '11 at 17:15
  • 1
    For posterity, perhaps this will help: http://stackoverflow.com/questions/12968217/making-jsessionid-cookie-be-httponly-in-jetty-7 – DavidS Dec 04 '13 at 22:29