According to the release notes at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html this looks to be implemented only from 6.0.33. Update your tomcat version before you try this configuration change.
Modify your context.xml under tomcat/conf directory by including this extra tag.
<Context><Manager useHttpOnly="true" />
…
</Context>
To make cookie secure, add the attribute secure="true" to the <Connector definition in server.xml
This fix is available 6.0.30 onwards.
ReplyDeletehttps://issues.apache.org/bugzilla/show_bug.cgi?id=49749