By default, the Oracle Commerce Platform sets the HttpOnly attribute when it adds cookies to Web application clients. The HttpOnly attribute restricts use of Oracle Commerce Platform cookies to HTTP or HTTPS requests and prevents access by JavaScript. Note that this attribute does not affect the jsessionid cookie, which is controlled by the application server.

You can control this behavior by setting the createHttpOnlyCookie property of the /atg/dynamo/servlet/ServletUtil component. If the value of the boolean createHttpOnlyCookie property is true (the default), the Oracle Commerce Platform will set the HttpOnly attribute when adding cookies. If the value is false, it will not.