Java EE 6/7 Session Security

I was testing some additional functionality that is available for security on Java EE 6 and EE 7 platforms. One item that is extremely important for all developers is avoiding Cross-Site Scripting (XSS) issues. This can normally be handled very easily by adding http-onlyto your web.xml configuration.
This works on most application servers. More on that later.
Additionally, you may will likely only want to set the JSESSIONID to be a cookie to prevent the cookie information being placed in the URL. This is accomplished by adding tracking-mode to to your web.xml configuration.
This is again a common sense approach that has been mentioned in a number of publications, and articles. However, this simple EE 6 configuration did not work for me on IBM WebSphere. There is a security mechanism called "Programmatic session cookie configuration" that prevents the JSESSIONID cookie from being modified. I found that I could re-name the JSESSIONID for the application in the web.xml to get around this restriction. Here is my new configuration with a nod to the NSA:
When I made the changes, everything worked as expected, but I wanted to make sure when my session is invalidated that I clean up my "NSA" tracks. So I created a new logout method for my JSF based application.

UPDATE

Here is the code for the project: security-configuration-example

References

• HttpOnly
• Seven Security (Mis)Configurations in Java web.xml Files