Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-222932 | TCAT-AS-000070 | SV-222932r960792_rule | Medium |
Description |
---|
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element. |
STIG | Date |
---|---|
Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2024-05-23 |
Check Text ( C-24604r426240_chk ) |
---|
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the EXAMPLE: |
Fix Text (F-24593r426241_fix) |
---|
From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the EXAMPLE: |