It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml

All other cookies are tougher to crack, and in the end, I typically end up with Cookie rewrite handling in the Reverse Proxy, similar to this handling of Secure/SameSite. Of course for httpOnly you absolutely have to be sure that no client JavaScript ever needs to access the cookie value, so it should not be handled in such a generic / blanket fashion.

Sorry afaust as i am unable to perform the solution provided by you. So is there any other solution with the help of which i can set httpOnly for alfresco.

Thanks in Advance

Akash D

I am not aware of any simpler solution, as I too would have used such if it were available.

Dear @afaust  as explaied by you:

It depends on which cookie you want to set the httpOnly flag on. The JSESSIONID is one of the easiest cookies to switch to httpOnly because you can do that via Tomcat configuration via the context configuration (useHttpOnly) for the Alfresco / Share web application in <tomcat>/conf/Catalina/localhost/alfresco.xml or share.xml.

Can you please tell what code i need to add and where. Please help it could solve my issue. I want to set httpOnly for JSESSIONID cookie.

Hoping for your response.

Thanks in Advance

Regards 

Akash

Thanku so much @afaust  for your help.

Regards 

Akash

Hi @akash251998,

I'm so glad @afaust was able to help you resolve your issue & thank you for accepting his solution.

Best wishes, 

Dear @afaust  as per your suggestion i have done the changes in the files alfresco.xml and share.xml at the location :

D:\DMS\tomcat\conf\Catalina\localhost

My alfresco.xml file 

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/platform/*.jar" />
</Context>

My share.xml file

<?xml version='1.0' encoding='utf-8'?>
<Context crossContext="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader" virtualClasspath="${catalina.base}/../modules/share/*.jar" />
</Context>

I am getting the JSESSIONID in my cookies as not set to httpOnly. I am attaching screenshot ofthe cookies information.

Error

Is there any other change we have to do to achieve our requirement. @afaust please have a look hope this time also i will get a positive response.

Regards

Akash D

Dear @EddieMay  will you please look into the above issue.