vSphere UI must restrict its cookie path.

An XCCDF Rule

Description

Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.

ID: SV-256795r889384_rule
Version: VCUI-70-000018
Severity: Medium
References: CCI-001664
Updated: about 2 months ago

Remediation Templates

Navigate to and open: 
 
/usr/lib/vmware-vsphere-ui/server/conf/context.xml 
 
Add the following configuration to the <Context> node: 
 sessionCookiePath="/ui" 
 
Example: 
 
<Context useHttpOnly="true" sessionCookieName="VSPHERE-UI-JSESSIONID" sessionCookiePath="/ui"> 
 
Restart the service with the following command: 
 
# vmon-cli --restart vsphere-ui

vSphere UI must restrict its cookie path.

Description

Remediation Templates

A Manual Procedure