Red Hat
Oct 22, 2009
by Anil Saldhana
There are concerns that client side scripts should not be able to access the cookies sent by the server. Toward this, the HTTPOnly cookie was invented by Microsoft Internet Explorer and has been reasonably adopted by other browsers and the public.

Read more about it at the OWASP site: http://www.owasp.org/index.php/HTTPOnly

Tomcat has a flag on the Context element which you can either place it in WEB-INF/context.xml (JBoss) or META-INF/context.xml (Tomcat) to utilize this feature.

Reference: http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

So look for examples of context.xml by google search and then add the "useHttpOnly=true" to the context element.