Tomcat 8.5.28 : Bad Set-Cookie header: Secure; HttpOnly No '=' found for token starting at position 75

Question

We are migrating from Tomcat 6.x to Tomcat 8.5.28 . We are hitting the below issue from very first login itself. It seems Tomcat 8.5.28 version adds httpOnly attribute in Cookie. How to aviod that. Due to this attribute my Client side fails to parse at Java API level itself

java.net.ProtocolException: Bad Set-Cookie header: JSESSIONID=09E13BB21C867AEA7B7BBECA3E4CDCCD; Path=/CSCOnm/servlet; Secure; HttpOnly
No '=' found for token starting at position 75
    at HTTPClient.Cookie.parse(Cookie.java:248)
    at HTTPClient.CookieModule.handleCookie(CookieModule.java:442)
    at HTTPClient.CookieModule.responsePhase1Handler(CookieModule.java:391)
    at HTTPClient.HTTPResponse.handleResponse(HTTPResponse.java:726)
    at HTTPClient.HTTPResponse.getInputStream(HTTPResponse.java:566)
    at HTTPClient.HttpURLConnection.getInputStream(HttpURLConnection.java:611)
    at java.net.URLConnection.getContent(Unknown Source)

I have followed some of the suggestion to configure as below in web.xml . But no luck

<session-config>
 <cookie-config>
  <http-only>false</http-only>
 </cookie-config>
<session-config>

Could any body help me. How to fix this issue..I am blocked at first page itself.

Answer 1

By modifying HTTP header in Apache server fixed this issue.. We are using Apache server in front of Tomcat . So i added below code in httpd.conf to remove this unwanted attribute. It fixed that issue.

Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
Header edit* Set-Cookie "(JSESSIONID=.*)(; HttpOnly)" "$1"
Header edit* Set-Cookie "(JSESSIONID=.*)(; No \'=\')" "$1"