UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cookies must have http-only flag set.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222933 TCAT-AS-000080 SV-222933r879530_rule Medium
Description
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.
STIG Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide 2023-12-18

Details

Check Text ( C-24605r426243_chk )
From the Tomcat server console, run the following command:

sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml

If the command returns no results or if the element is not set to true, this is a finding.

EXAMPLE:

15

true
true

Fix Text (F-24594r426244_fix)
From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the setting and set to true.

EXAMPLE:

15

true
true