http-onlyto your web.xml configuration.
This works on most application servers. More on that later.
Additionally, you may will likely only want to set the JSESSIONID to be a cookie to prevent the cookie information being placed in the URL. This is accomplished by adding
tracking-modeto to your web.xml configuration.
This is again a common sense approach that has been mentioned in a number of publications, and articles. However, this simple EE 6 configuration did not work for me on IBM WebSphere. There is a security mechanism called "Programmatic session cookie configuration" that prevents the JSESSIONID cookie from being modified. I found that I could re-name the JSESSIONID for the application in the web.xml to get around this restriction. Here is my new configuration with a nod to the NSA:
When I made the changes, everything worked as expected, but I wanted to make sure when my session is invalidated that I clean up my "NSA" tracks. So I created a new logout method for my JSF based application.