How can I set session cookies to be Http-Only in servlet API 2.5?

How can I set session cookies to be Http-Only in servlet API开发者_开发知识库 2.5? The Cookie.setHttpOnly method was added in servlet API 3.0.

i need to do the same thing...

i'm thinking of doing a servlet filter, reading the cookies with request.getCookies(), creating the raw cookies (in a StringBuilder; not the object Cookie), appending HttpOnly and using response.setHeader("Set-Cookie", rawCookies) to put them back.

one thing to be carefull about is taking other properties, as in domain, path, secured; not just name and value

will let you know how it goes...

PS: also thought of taking the header with request.getHeader('COOKIES') and using regex to append HttpOnly, but it seems that the header COOKIES will only give you the name and the value property

I think you'll want to create some utility code that will take a Cookie and a flag for whether or not you want HttpOnly. The utility will create the associated string header for the cookie which you can pass to HttpServletResponse.addHeader("Set-Cookie", cookieHeader).