Access Manager session cookies can be marked as HTTPOnly (6843487) (Sun Java System Access Manager 7.1 Release Notes)

Sun Java System Access Manager 7.1 Release Notes

Previous: New property sets idle time out for policy agent sessions (6697260)
Next: ampassword utility has new options to hash and encrypt a password (6850818)

Access Manager session cookies can be marked as `HTTPOnly` (6843487)

The new com.sun.identity.cookie.httponly property allows Access Manager session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To use this new property, add it with a value of true to the AMConfig.properties file and restart the Access Manager web container

You must also set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.