In the current community version (6.2023.2), the set-cookie HTTP response headers don’t use the httponly attribute anymore. This was also the case with 6.2022.2, but not with version 5 (and earlier, as far as I can remember). As an example, the following set-cookie header is used:
set-cookie: JSESSIONID=0e7fa18043cbd4b39ad0e0a5f517; Path=/test; Secure
Apparently, the same issue existed in Glassfish 7, where it was (likely) fixed in the meantime: Fixed default httpOnly value - should be true by hs536 · Pull Request #24021 · eclipse-ee4j/glassfish · GitHub
I couldn’t find a server setting to enable the httponly attribute. I’m aware it can be enabled in web.xml, but in my opinion, the default (and secure) behaviour should be to enable the attribute.
Is this a known issue or indeed intended behaviour?