Enabling httpOnly for session cookies
As a best practice, you can enable httpOnly to protect session cookies. By using httpOnly cookies, you can prevent cookies from being manipulated with JavaScript within the browser and reduce the possibility of cross-site scripting attacks and cookie theft.
Before you begin
Complete the following task:
- Ensure that you are working on the WebSphere Application Server V7.0 Fix Pack 37 or a more recent version. This Fix Pack includes the interim fix for APAR PI25144, which enables the use of wildcards in the cookie names.
About this task
Session
management cookies are good candidates for httpOnly. Avoid enabling httpOnly on cookies that are
used in the storefront, such as WC_CartTotal_ and WC_CartOrderId_ in the starter stores.
Tip: Use a tool such as the Firebug add-on for the Mozilla Firefox browser to view the list of
cookies that exist on the storefront. This tool
can also let you see whether any cookies have the httpOnly setting enabled.