---
title: HttpOnly session cookies
description: To help protect against cross-site scripting (XSS) attacks, configure session cookies with the HttpOnly flag. When a cookie has this flag, browsers prevent client-side scripts from accessing it. This is an effective way to prevent attackers from stealing session information.
component: pingam
version: 8.1
page_id: pingam:security:sec-rest-httponly
canonical_url: https://docs.pingidentity.com/pingam/8.1/security/sec-rest-httponly.html
keywords: ["Security", "Setup & Configuration"]
page_aliases: ["security-guide:sec-rest-httponly.adoc"]
section_ids:
  configure-httponly: Verify the httpOnly flag is enabled
---

# HttpOnly session cookies

To help protect against cross-site scripting (XSS) attacks, configure session cookies with the `HttpOnly` flag. When a cookie has this flag, browsers prevent client-side scripts from accessing it. This is an effective way to prevent attackers from stealing session information.

By default, AM enables the `HttpOnly` flag on its session cookies.

|   |                                                                                                                                                                                                                                                                                                                                                                                          |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | When the `HttpOnly` flag is enabled, a successful call to the `/json/authenticate` endpoint returns a response with an empty `tokenId` field. This happens because the session token is sent in the `HttpOnly` cookie and is not available to the script to be included in the JSON payload.For example:```json
{
  "tokenId":"",
  "successUrl":"/am/console",
  "realm":"/alpha"
}
``` |

## Verify the `httpOnly` flag is enabled

The `httpOnly` flag is enabled by default. To verify that it's enabled, follow these steps:

1. In the AM admin UI, go to Configure > Server Defaults > Advanced.

2. Find the `com.sun.identity.cookie.httponly` advanced server property and make sure it's set to `true`.

3. If you change the value, save your changes and restart AM or the container where it runs.

4. If you have a site with multiple AM servers, verify this setting on each server.

|   |                                                                                                                                                                                                                                  |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | AM also uses the `Secure` flag for cookies. When a request is made over HTTPS, AM adds the `Secure` flag to all cookies (except `amlbcookie`). This flag tells the browser to only send the cookie over an encrypted connection. |