I just learned something about http-only cookies to prevent client code of the browser to temper with cookies. I found a little more information in this article:https://www.owasp.org/index.php/HttpOnly. To do this in Java for a cookie, write:
Cookie cookie = getMyCookie("myCookieName");
cookie.setHttpOnly(true);
In particular for the session cookie, you can use the following code:
SessionCookieConfig config = request.getServletContext().getSessionCookieConfig();
config.setHttpOnly(true);
