TCAT-AS-000080 - Cookies must have http-only flag set.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header.

The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.

Solution

From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true.

EXAMPLE:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R6_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000213, Rule-ID|SV-222933r879530_rule, STIG-ID|TCAT-AS-000080, STIG-Legacy|SV-111397, STIG-Legacy|V-102449, Vuln-ID|V-222933

Plugin: Unix

Control ID: 9ed94bc6f09588ec3b4b3c8bae0c4ab1dd81cabf7123286773f9575b0bb7ab10