In JBoss 7 EAP, in order for HttpOnly and Secure settings for session cookies to take effect, they must be set in the jboss-all.xml file in the META-INF directory of the EAR file.

For example, to set these options in an existing EAR file, create a jboss-all.xml file in the META-INF directory and include the following in the file:

<jboss umlns="urn:jboss:1.0">
    <shared-session-config xmlns="urn:jboss:shared-session-config:1.0">
        <session-config>
            <cookie-config>
                <path>/</path>
                <http-only>true</http-only>
                <secure>true</secure>
            </cookie-config>
        </session-config>
    </shared-session-config>
</jboss>

To avoid the need to recreate this file each time you regenerate an EAR file, Oracle Commerce can automatically copy an existing jboss-all.xml file into the META-INF directory. There are a number of options for where it can obtain this file, depending on whether you use runAssembler or CIM to generate the EAR file.

If you use CIM to regenerate an EAR file, it first looks for a jboss-all.xml file in the <JBdir>/standalone/configuration directory, and if there is one, copies it into the new EAR file. If there is no jboss-all.xml file in that location, it then looks in the META-INF directory of the existing EAR. If is there is no jboss-all.xml file in that location, it generates a new one.

If you use runAssembler to regenerate an EAR file, you can specify the location of a jboss-all.xml file to copy into the generated EAR file. For example:

runAssembler -jboss-all-path D:\development\configuration ...

If you do not specify a location in the command, runAssembler uses the same logic as CIM to find a jboss-all.xml file, and if none is found, generates a new one.

Note that if runAssembler or CIM generates a jboss-all.xml file, it contains the following settings:

<http-only>true</http-only>
<secure>false</secure>