Check: TCAT-AS-000070
Apache Tomcat 9 STIG:
TCAT-AS-000070
(in version v1 r0.1)
Title
Cookies must have secure flag set. (Cat II impact)
Discussion
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. The $CATALINA_HOME/conf/web.xml file controls how all applications handle cookies via the element. false
Check Content
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_HOME/conf/web.xml If the command returns no results or if the <secure> element is not set to true, this is a finding. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
Fix Text
From the Tomcat server console as a privileged user: Edit the $CATALINA_HOME/conf/web.xml. If the cookie-config section does not exist it must be added. Add or modify the <secure> setting and set to true. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
Additional Identifiers
Rule ID: TCAT-AS-000070_rule
Vulnerability ID: TCAT-AS-000070
Group Title: SRG-APP-000033-AS-000024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |