IBM Support

Enable usehttponly feature of tomcat in WebSphere Application Server Community Edition

Technote (troubleshooting)


Add support for using httpOnly for session cookies. This feature is disable by default. But it is supported as of Tomcat 6.0.19.

Resolving the problem

To enable this feature, please follow the instruction below.

1. Start the server.

2. uninstall all your web applications.

3. Download the patch

4. Unzip the attached file into the WebSphere Application Server Community Edition installation directory, and ensure the files listed in the zip file to replace the ones in the server installation.

5. Start the server.

6. Reinstall all your web applications which are uninstalled before.

7. Before deploy your web application which plans to utilize usehttponly feature into the server, please confirm the useHttpOnly flag is true in your application's geronimo-web.xml. For example,

<?xml version="1.0" encoding="UTF-8" ?>
<web:web-app xmlns:web="" xmlns:app="" xmlns:client="" xmlns:conn="" xmlns:dep="" xmlns:log="" xmlns:name="" xmlns:pers="" xmlns:sec="" xmlns:tomcat="">
  <tomcat:context useHttpOnly="true" />

Document information

More support for: WebSphere Application Server Community Edition

Software version:

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1639947

Modified date: 11 October 2013

Translate this page: