vSphere UI must restrict its cookie path.

An XCCDF Rule

Description

<VulnDiscussion>Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256795r889384_rule
Severity: Medium
References: CCI-001664
Updated: 9 months ago

Navigate to and open: 
 
/usr/lib/vmware-vsphere-ui/server/conf/context.xml 
 
Add the following configuration to the <Context> node: 
 sessionCookiePath="/ui" 
 
Example: 
 
<Context useHttpOnly="true" sessionCookieName="VSPHERE-UI-JSESSIONID" sessionCookiePath="/ui"> 
 
Restart the service with the following command: 
 
# vmon-cli --restart vsphere-ui

vSphere UI must restrict its cookie path.

Description

Remediation - Manual Procedure