How to set HttpOnly for Pega-RULES cookie?



I have modified web.xml with 


but it didn't work at all.

I changed Context.xml with <Context useHttpOnly="true">. But this also didn't work.

Then I modified created a filter class to set HttpOnly for all the cookies that any servlet has received in its request and added this filter within prweb and redeployed it followed by a restart. This time it worked for other cookies, but not for Pega-RULES cookie.


Whats so special about this cookie? What does it do? How do I set HttpOnly for this Pega-RULES cookie?



Any help is highly appreciated. Thanks in advance.




**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.


Keep up to date on this post and subscribe to comments

February 17, 2014 - 4:08am

Hi Experts,


This is one of the big security concerns that we have in our project. So, I would really appreciate if somebody can kindly help me out on this.



December 16, 2014 - 3:04pm

In case anyone else runs across this and has the same issue, HFIX-9206 provides the ability to set cookies to HTTPOnly for PRPC 6.3 SP1.  Once you have it installed, you can set <env name="cookie/HttpOnly" value="true" /> in prconfig.xml and cookies will be HTTPOnly.  This will prevent integration with Microsoft Office etc.


PRPC 7.1 has this capability built in - just add <env name="cookie/HttpOnly" value="true" /> to prconfig.

January 15, 2015 - 9:51am

In websphere if you go the jvm additionl properties you will have option to configurge httponly = true.


But problem is  your excel integration dont work.



Chandrasekhar Bhagath.