← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-222933

CAT II (Medium)

Cookies must have http-only flag set.

Rule ID

SV-222933r1137578_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000213

Discussion

It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.

Check Content

From the Tomcat server console, run the following command:

sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml

If the command returns no results or if the &lt;http-only&gt; element is not set to true, this is a finding.

EXAMPLE:
&lt;session-config&gt;
   &lt;session-timeout&gt;15&lt;/session-timeout&gt;
     &lt;cookie-config&gt;
       &lt;http-only&gt;true&lt;/http-only&gt;
        &lt;secure&gt;true&lt;/secure&gt;
     &lt;/cookie-config&gt;
&lt;/session-config&gt;

Fix Text

From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the &lt;http-only&gt; setting and set to true.

EXAMPLE:
&lt;session-config&gt;
   &lt;session-timeout&gt;15&lt;/session-timeout&gt;
     &lt;cookie-config&gt;
       &lt;http-only&gt;true&lt;/http-only&gt;
        &lt;secure&gt;true&lt;/secure&gt;
     &lt;/cookie-config&gt;
&lt;/session-config&gt;