Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Configuring Cookies' httpOnly Status

Written By

Christopher Lui

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Description

By default, the Liferay platform sets all of its cookies to httpOnly true in its portal.properties file (Liferay 6.2 and earlier) or in its system.properties (starting with Liferay 7.0) files.

    #
    # HTTP only cookies are not supposed to be exposed to client-side scripting
    # code, and may therefore help mitigate certain kinds of cross-site
    # scripting attacks. Input a list of comma delimited cookie names that are
    # not HTTP only.
    #
    cookie.http.only.names.excludes=

Resolution

If you want to exclude certain cookies from being httpOnly true and make them httpOnly false, then you can list them by name using the aforementioned property in a system-ext.properties file. Place the system-ext.properties file in your deployed Liferay war's /WEB-INF/classes directory, and then restart Liferay. You can find your Liferay's /WEB-INF/classes wherever it has been deployed in your application server. If you are using Tomcat for example, it would be located in tomcat-{version} /webapps/ROOT/WEB-INF/classes.

To verify if the property is being read, go to Control Panel > Server Administration > Properties and search for the property you added.

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?