Hello, I'm new to this list. I want to setup usage of HttpOnly for cookies for enterprise application, but without luck. I've searched and found these: 1) Jboss 4.3 - add useHttpOnly="true" attribute to Context element in the web application's context.xml 2) Jboss 5.x - add new element as subelement of the Context element in the web application's context.xml; the element is <SessionCookie httpOnly="true"/> (I've also try <SessionCookie path="/" httpOnly="true"/>) None of these works for me. The application is a enterprise application with web application packed in the WAR archive. I've changed the context.xml which is in the WEB-INF directory of the web application. To check if the HttpOnly presents I'm using "Live HTTP headers" Firefox plug-in. I'm sure I've missed something, but what I cannot find. Thanks for help Pat ---------------------------------------- Freehosting PIPNI - http://www.pipni.cz/