Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-222933 | TCAT-AS-000080 | SV-222933r615938_rule | Medium |
Description |
---|
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element. |
STIG | Date |
---|---|
Apache Tomcat Application Sever 9 Security Technical Implementation Guide | 2021-06-15 |
Check Text ( C-24605r426243_chk ) |
---|
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the EXAMPLE: |
Fix Text (F-24594r426244_fix) |
---|
From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the EXAMPLE: |