UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cookies must have secure flag set.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222932 TCAT-AS-000070 SV-222932r879530_rule Medium
Description
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.
STIG Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide 2023-09-13

Details

Check Text ( C-24604r426240_chk )
From the Tomcat server console, run the following command:

sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml

If the command returns no results or if the element is not set to true, this is a finding.

EXAMPLE:

15

true
true

Fix Text (F-24593r426241_fix)
From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the setting and set to true.

EXAMPLE:

15

true
true