By default, Glassfish v3 doesn't set the httpOnly flag on session cookies (when created as usual with request.getSession()).
I know, there is a method javax.servlet.SessionCookieConfig.setHttpOnly(), but I'm not sure, if that's the best way to do it, and if yes, where the best place would be to put that line.
BTW, of course it can't be done in the servlet itself (e.g. in init()):
java.lang.IllegalStateException: PWC1426:
Unable to configure httpOnly session tracking cookie property for
servlet context /..., because this servlet context has already been initialized
Generally, I would prefer to use a configuration option e.g. in web.xml.