TCAT-AS-000080 – Cookies must have http-only flag set.

Details

It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header.

The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the element.

Solution

From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the setting and set to true.

EXAMPLE:

15

true
true

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-3
CAT|II
CCI|CCI-000213
Rule-ID|SV-222933r615938_rule
STIG-ID|TCAT-AS-000080
STIG-Legacy|SV-111397
STIG-Legacy|V-102449
Vuln-ID|V-222933

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles