Cookies must have http-only flag set.

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Cookies must have http-only flag set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222933	TCAT-AS-000080	SV-222933r615938_rule		Medium

Description
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2021-06-15

Details

Check Text ( C-24605r426243_chk )
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the element is not set to true, this is a finding. EXAMPLE: 15 true true

Fix Text (F-24594r426244_fix)
From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the setting and set to true. EXAMPLE: 15 true true