Sun Java System Access Manager 7 2005Q4 Release Notes

CR# 6843487: Access Manager session cookies can be marked as HTTPOnly

Patch 11 includes the new com.sun.identity.cookie.httponly property to allow Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can avoid cross site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, add it to the file with a value of true and then restart the Access Manager web container.