SSO cookies should be made HttpOnly by default. In org.apache.catalina.authenticator.AuthenticatorBase#register(), 798- response.addCookie(cookie); 798+ response.addCookieInternal(cookie, true);
Since the setting of HttpOnly should be controlled by the useHttpOnly attribute of the context, the code should probably read: 798- response.addCookie(cookie) 798+ response.addCookieInternal(cookie, request.getContext.getUserHttpOnly());
This has been fixed in trunk and will be included in 7.0.3 onwards. I'll take a look at proposing backports for 6.0.x and 5.5.x.
Patch proposed for 6.0.x and 5.5.x
Fixed in trunk and will be in 5.5.31 onwards.
Fixed in 6.0.x and will be included in 6.0.30 onwards.