Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Add com.sun.identity.cookie.httponly with a value of true.
Click Save and log out of the Console.
Restart the OpenSSO Enterprise web container.
You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.