UCF STIG Viewer Logo

Cookies must have secure flag set.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222932 TCAT-AS-000070 SV-222932r615938_rule Medium
Description
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2020-12-11

Details

Check Text ( C-24604r426240_chk )
From the Tomcat server console, run the following command:

sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml

If the command returns no results or if the element is not set to true, this is a finding.

EXAMPLE:

15

true
true

Fix Text (F-24593r426241_fix)
From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the setting and set to true.

EXAMPLE:

15

true
true