STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

V-241732

CAT II (Medium)

tc Server CaSa must set the secure flag for cookies.

Rule ID

SV-241732r879810_rule

STIG

VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-002418

Discussion

Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the transmission. To safeguard against cookies, especially session cookies, being sent in plaintext, a cookie can be encrypted before transmission. To force a cookie to be encrypted before transmission, the cookie Secure property can be set. As a Tomcat derivative, tc Server is based in part on the Java Servlet specification. Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the correct configuration in web.xml.

Check Content

At the command prompt, execute the following command:

grep -E '<secure>' /usr/lib/vmware-casa/casa-webapp/conf/web.xml

If the value of the <secure> node is not set to "true" or is missing, this is a finding.

Fix Text

Navigate to and open /usr/lib/vmware-casa/casa-webapp/conf/web.xml.

Navigate to the <session-config> node.

Add the <cookie-config> --> <secure> node setting to the <session-config> node.

Note: The <cookie-config> --> <secure> node should be configured as shown below:

 <cookie-config>
 <secure>true</secure>
 </cookie-config>