We are to move usage of cookies to be marked as HttpOnly. Getting cookies at client side is forbidden. One solution is to add a service at /ovirt-engine/services to get the cookie if actually required. May be other solutions as well.
Vojtech - don't we have the session ID somewhere else in the client context?
(In reply to Oved Ourfali from comment #1) > Vojtech - don't we have the session ID somewhere else in the client context? In general, GWT client code is agnostic (unaware) of the application's (WebAdmin/UserPortal) session, represented by the JSESSIONID cookie. Browser takes care of cookie handling and server takes care of cookie -> HttpSession association, so GWT client code has no real reason to access the session ID. One exception to above rule is ReportModel and ReportsListModel, both of which have: String sessionID = Cookies.getCookie("JSESSIONID"); ReportModel and ReportsListModel execute in WebAdmin context so above statement attempts to access JSESSIONID cookie set for path /ovirt-engine/webadmin, which will fail in case the cookie is marked as HttpOnly. Aside from that, in WebAdmin, we read REST application's session ID via _response header_ (named 'JSESSIONID') and not via cookie, since WebAdmin code at path /ovirt-engine/webadmin cannot access cookie for path /ovirt-engine/api anyway. So fixing ReportModel and ReportsListModel should be enough to make HttpOnly cookie flag work for WebAdmin/UserPortal applications.
oVirt 3.5 has been released and should include the fix for this issue.