Cookies must have http-only flag set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222933	TCAT-AS-000080	SV-222933r960792_rule	CCI-000213	medium
Description
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.
STIG			Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide			2025-02-11

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

AC-3

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.1.1

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.1.2

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000213

1.00

DISA · 3 · disa_xccdf · related

Details

Check Text (C-222933r960792_chk)

From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the <http-only> element is not set to true, this is a finding. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>

Fix Text (F-24594r426244_fix)

From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>