Why does the WCSession cookie in IBM WebSphere Commerce not have the HTTPOnly flag set?
Java™ EE does not provide a mechanism to support the HttpOnly flag until servlet V3. The current servlet version WebSphere Commerce supports is V2.4. There are no current plans to support servlet V3.
If a site has an XSS vulnerability, setting the HTTPOnly flag on a cookie will prevent the possibility of the cookie being stolen by a client side script. If the site does not have an XSS vulnerability, the cookie cannot be stolen by client a side script.The HttpOnly flag provides additional protection in case an XSS vulnerability exists.
WebSphere Commerce already contains XSS filtering to help reduce this risk.
XSS filtering does not overcome the exact limitation of the lack of the HTTPOnly flag (which prevents most common XSS attacks), For example; however it tries to filter out any threats that an HTTPOnly flag would have protected against.
For more information on how this XSS filtering works, see article:
V7.0: Enabling cross-site scripting protection
V6.0: Enabling cross-site scripting protection
A possible workaround is to use a servlet filter to add the header in the HTTP response. You can use this OWASP example.
In addition to XSS filtering, a good practice is to use the <c:out> tag when using parameters on JSPs.
Note: WebSphere Application Server v18.104.22.168 and above support the setting of the HTTPOnly flag for session cookies. Please refer to Enabling httpOnly for session cookies in the Knowledge Center for more information.