web.xml
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config>
response.setHeader( "Set-Cookie", "name=value; HttpOnly");
<Context useHttpOnly="true"> ... </Context>