HttpOnly Cookie configuration in Jetty Server used in UberJar is not taking effect

Hello Support Team,

I am trying to set the JSESSIONID cookie to be secured by setting the HttpOnly cookie flag to true, i tried the following options with no success:
(note that i am using the default UberJar deployment method provided in the official documentation)

Option 1: Configuring the Jetty-env.xml (note the sessionHandler):

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-" "">
<Configure id='wac' class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="sessionHandler">
        <Get name="sessionManager">
            <Set name="httpOnly" type="boolean">true</Set>
    <New id="CubaDS" class="">
            <New class="org.apache.commons.dbcp2.BasicDataSource">
                <Set name="driverClassName">org.postgresql.Driver</Set>
                <Set name="url">jdbc:postgresql://db/vp</Set>
                <Set name="username">**********</Set>
                <Set name="password">**********</Set>
                <Set name="maxIdle">2</Set>
                <Set name="maxTotal">20</Set>
                <Set name="maxWaitMillis">5000</Set>

Option 2: Configuring the Web.xml as following (note the session-config):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<web-app xmlns=""
    <!-- Application properties config files -->
    <!--Application components-->

Can you please let me know what i am doing wrong and why none of my trials is taking effect as the cookie sent to the browser still don’t have the HttpOnly flag set to true.

I found the problem, i was modifying the wrong web.xml file. the correct one to modify is the web.xml file in the web module not the one in the core module

1 Like