Cookies must have secure flag set.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-222932 | SRG-APP-000033-AS-000024 | TCAT-AS-000070 | SV-222932r960792_rule | 2025-02-11 | 3 |
| Description |
|---|
| It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element. |
| ℹ️ Check |
|---|
| From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the <secure> element is not set to true, this is a finding. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> |
| ✔️ Fix |
|---|
| From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the <secure> setting and set to true. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> |