I'm trying to set the HttpOnly flag of xsrf-token cookie to true in my jersey application. At the moment I have two cookies, the HttpOnly flag of the jsession id cookie is set to true while the other is set to false.
I have this in my web.xml:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
But the xsrf cookie HttpOnly flag is always false. How can i change the flag of that cookie?
