Sun Java System Access Manager 7.1 Release Notes

Access Manager session cookies can be marked as HTTPOnly (6843487)

The new com.sun.identity.cookie.httponly property allows Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To use this new property, add it with a value of true to the file and restart the Access Manager web container

You must also set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the file.