In the default settings the session id will be displayed in the url. If someone sees the session id, then he can login into your login session using the session id which can be seen through e.g. scanning a wifi network (Wireshark).
If you login into your JSF web application, then your URL displayed in your browser should not have a URI like this: www.myapplication.tld/site.xhtml;jsessionid=XXXX
1. Go to the folder WEB-INF.
If you use Netbeans, then you can find the folder in the tab projects.
2. Then edit the file web.xml
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config>
Now you have to recompile your application and then we are done.