Cookies must have secure flag set.

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cookies must have secure flag set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222932	TCAT-AS-000070	SV-222932r615938_rule		Medium

Description
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2021-06-15

Details

Check Text ( C-24604r426240_chk )
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the element is not set to true, this is a finding. EXAMPLE: 15 true true

Fix Text (F-24593r426241_fix)
From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the setting and set to true. EXAMPLE: 15 true true