Enabling httpOnly for session cookies

As a best practice, you can enable httpOnly to protect session cookies. By using httpOnly cookies, you can prevent cookies from being manipulated with JavaScript within the browser and reduce the possibility of cross-site scripting attacks and cookie theft.

Before you begin

Complete the following task:

About this task

Session management cookies are good candidates for httpOnly. Avoid enabling httpOnly on cookies that are used in the storefront, such as WC_CartTotal_ and WC_CartOrderId_ in the starter stores.
Tip: Use a tool such as the Firebug add-on for the Mozilla Firefox browser to view the list of cookies that exist on the storefront. This tool can also let you see whether any cookies have the httpOnly setting enabled.


  1. In the WebSphere Application Server administrative console, expand Servers > Server types. Click WebSphere application servers.
  2. Select the server
  3. Click the Configuration tab. In the Container Settings section, expand Web Container Settings. Click Web Container.
  4. In the Additional Properties sections, click Custom Properties.
  5. In the Custom Properties page, click New.
  6. Add the following information in the General Properties fields to enable the httpOnly cookies setting:
  7. Click Apply.
  8. Click Save.
  9. Restart the server for the custom property to take effect.
  10. Repeat the previous steps for each server that you need to configure.