We have a client using a Java Applet which is using SiteMinder SSO. The client wants to enable http-only cookies in SiteMinder.
Java Applets in Internet Explorer can read HttpOnly cookies, but only if the case used for the word HttpOnly in the "Set-Cookie:" header is "HttpOnly". SiteMinder's SMSESSION cookie uses "HTTPOnly" which causes Java to not read the cookie at all. This results in SiteMinder timing out the application.
According to RFC 6265, the word should be "HttpOnly".
https://tools.ietf.org/html/rfc6265#section-5.2.6
It seems like most, if not all browser will except difference case, but Java is a stickler to following the RFC and only works with "HttpOnly".
As far as I can tell from searching, only SiteMinder sets this parameter as "HTTPOnly" instead of "HttpOnly". Is there some way to get SiteMinder to set the case so that it correctly sends "HttpOnly" instead of "HTTPOnly"?