I have an apache2.4.6 and dotcms2.3.2 in suselinux. I want to set httponly and secure falg in dotcms and tomcat . I set these configurations in apache and tomcat:
<Context useHttpOnly="true">
in context.xml
<Connector maxThreads="400" connectionTimeout="3000" port="8080" protocol="HTTP/1.1" redirectPort="8443" URIEncoding="UTF-8" secure="true" />
in server.xml
Header edit Set-Cookie ^(.*)$ $1;HttpOnly
or
Header set Set-Cookie HttpOnly;Secure
in httpd.conf
.
after that restart tomcat and test with burp suite , but it does't set in cookie .
Header set Set-Cookie HttpOnly;Secure
in httpd.conf
works.