Cookies must have http-only flag set.

An XCCDF Rule

Details
Profiles

Description

It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.

ID: SV-222933r960792_rule
Version: TCAT-AS-000080
Severity: Medium
References: CCI-000213
Updated: 15 days ago

Remediation Templates

From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true.
EXAMPLE:
<session-config>
   <session-timeout>15</session-timeout>
     <cookie-config>
       <http-only>true</http-only>
        <secure>true</secure>
     </cookie-config>
</session-config>

Cookies must have http-only flag set.

Description

Remediation Templates

A Manual Procedure