How can I set session cookies to be Http-Only in servlet API 2.5?

Question

How can I set session cookies to be Http-Only in servlet API 2.5? The Cookie.setHttpOnly method was added in servlet API 3.0.

Answer 1

i need to do the same thing...

i'm thinking of doing a servlet filter, reading the cookies with request.getCookies(), creating the raw cookies (in a StringBuilder; not the object Cookie), appending HttpOnly and using response.setHeader("Set-Cookie", rawCookies) to put them back.

one thing to be carefull about is taking other properties, as in domain, path, secured; not just name and value

will let you know how it goes...

PS: also thought of taking the header with request.getHeader('COOKIES') and using regex to append HttpOnly, but it seems that the header COOKIES will only give you the name and the value property