STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apache Server 2.4 Windows Site Security Technical Implementation Guide

V-214394

CAT II (Medium)

Cookies exchanged between the Apache web server and the client, such as session cookies, must have cookie properties set to prohibit client-side scripts from reading the cookie data.

Rule ID

SV-214394r961632_rule

STIG

Apache Server 2.4 Windows Site Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-002418

Discussion

A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers could be compromised and used by an attacker who intercepts the cookie. Setting cookie properties (i.e., HttpOnly property) to disallow client-side scripts from reading cookies better protects the information inside the cookie.

Check Content

Verify the  "session_cookie_module"  module is installed.

Inspect the httpd.conf file to confirm the "session_cookie_module" is being used.

If the "session_cookie_module" module is not being used, this is a finding.

Search for the "Session" and "SessionCookieName" directives.

If "Session" is not "on" and "SessionCookieName" does not contain "httpOnly" and "secure", this is a finding.

Fix Text

Set "Session" to "on". 

Ensure the "SessionCookieName" directive includes "httpOnly" and "secure".