STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM WebSphere Traditional V9.x Security Technical Implementation Guide

V-255832

CAT II (Medium)

The WebSphere Application Server security cookies must be set to HTTPOnly.

Rule ID

SV-255832r960762_rule

STIG

IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-001453

Discussion

Web applications use cookies to track users across requests. These cookies, while typically not sensitive in themselves, connect you to your existing state on the back end system. If an intruder were to capture one of your cookies, they could potentially use the cookie to act as you. Important Web traffic should be encrypted using SSL. This includes important cookies. In the case of WebSphere Application Server, the most important cookie is the LTPA cookie, and therefore it should be configured to be sent only over SSL.

Check Content

From the administrative console, navigate to Security >> Global Security.

Expand "Web and SIP security".

Click on "Single sign-on (SSO)".

If "Set security cookies to HTTPOnly" is not selected, this is a finding.

Fix Text

From the administrative console, navigate to Security >> Global Security.

Expand "Web and SIP security".

Select "Set security cookies to HTTPOnly".

Click "OK".

Click "Save".

Restart the DMGR and all the JVMs.