Cookies must have http-only flag set.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222933 | TCAT-AS-000080 | SV-222933r960792_rule | CCI-000213 | medium |
| Description | ||||
| It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Details
Check Text (C-222933r960792_chk)
From the Tomcat server console, run the following command:
sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml
If the command returns no results or if the <http-only> element is not set to true, this is a finding.
EXAMPLE:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Fix Text (F-24594r426244_fix)
From the Tomcat server console as a privileged user:
edit the $CATALINA_BASE/conf/web.xml
If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true.
EXAMPLE:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>