Secure and HTTPOnly Cookies


Hi, Lucee seems to be setting client stat cookies that I need to make secure and HTTPOnly


How can I achieve this?



You should be able to configure this in your J2EE servlet container. In order to give you a more detailed answer we’ll need more details about your setup.

By way of example, in Tomcat, you can edit [lucee]/tomcat/conf/context.xml and change this:


to this

<Context useHttpOnly="true">


This doesn’t seem to be working on the 5.2.20

is set

these cookies are still not set to HTTPOnly and secure


Hi @mee_nothus,

Can you please add like this in your application.cfc.

`this.sessioncookie={httponly=false, timeout=createTimeSpan(0, 0, 0, 10), secure=true,domain=""};

I hope this may be help for you.