Issue
- JSESSIONID cookie does not contain the HttpOnly flag.
Environment
- Liferay Portal 6.2
- JBOSS
Resolution
- You need to change it on your application server configuration, in the
[jboss_home]\standalone\deployments\ROOT.war\WEB-INF\web.xml, as below:<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
</web-app> - Even it being an Application server configuration, we can help you out in canse you do not want to change that. Just request a hotfix with the LPP-17644 internal fix and our support team will do the rest.
Additional Information