By default, Oracle ATG Web Commerce sets the HttpOnly
attribute when it adds ATG cookies to Web application clients. The HttpOnly
attribute restricts use of ATG cookies to HTTP or HTTPS requests and prevents access by JavaScript. Note that this attribute does not affect the jsessionid
cookie, which is controlled by the application server.
You can control this behavior by setting the createHttpOnlyCookie
property of the /atg/dynamo/servlet/ServletUtil
component. If the value of the boolean createHttpOnlyCookie
property is true
(the default), Oracle ATG Web Commerce will set the HttpOnly
attribute when adding cookies. If the value is false
, it will not.