Details

Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie ‘Secure’ property can be set.

Solution

Determine the location of the ‘HTTPD_ROOT’ directory and the ‘httpd.conf’ file:

# httpd -V | egrep -i ‘httpd_root|server_config_file’
-D HTTPD_ROOT=’/etc/httpd’
-D SERVER_CONFIG_FILE=’conf/httpd.conf’

Set ‘Session’ to ‘on’.

Ensure the ‘SessionCookieName’ directive includes ‘httpOnly’ and ‘secure’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_UNIX_Y22M01_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-8
• CAT|II
• CCI|CCI-002418
• Rule-ID|SV-214303r612241_rule
• STIG-ID|AS24-U2-000890
• STIG-Legacy|SV-102923
• STIG-Legacy|V-92835
• Vuln-ID|V-214303

Source

• Tenable.com/audits