STIGQter: STIG Summary: Apache Server 2.4 UNIX Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.

DISA Rule

SV-214251r612240_rule

Vulnerability Number

V-214251

Group Title

SRG-APP-000223-WSR-000011

Rule Version

AS24-U1-000470

Severity

CAT II

CCI(s)

• CCI-001664 - The information system recognizes only session identifiers that are system-generated.

Weight

10

Fix Recommendation

Edit the "mod_session.conf" file and find the "SessionCookieName" directive.

Set the "SessionCookieName" to "session path=/; HttpOnly; Secure; "

Example:

SessionCookieName session path=/; HttpOnly; Secure;

Restart Apache: apachectl restart

Check Contents

Note: For web servers acting as a public facing with static content that do not require authentication, this is Not Applicable.

Review the web server documentation and configuration to determine if cookies between the web server and client are accessible by applications or web servers other than the originating pair.

grep SessionCookieName <'INSTALL LOCATION'>/mod_session.conf

Confirm that the "HttpOnly" and "Secure" settings are present in the line returned.

Confirm that the line does not contain the "Domain" cookie setting.

Verify the "headers_module (shared)" module is loaded in the web server:

"# httpd -M
Verify " headers_module (shared)" is returned in the list of Loaded Modules from the above command."

If the "headers_module (shared)" is not loaded, this is a finding.

Vulnerability Number

V-214251

Documentable

False

Rule Version

AS24-U1-000470

Severity Override Guidance

Note: For web servers acting as a public facing with static content that do not require authentication, this is Not Applicable.

Review the web server documentation and configuration to determine if cookies between the web server and client are accessible by applications or web servers other than the originating pair.

grep SessionCookieName <'INSTALL LOCATION'>/mod_session.conf

Confirm that the "HttpOnly" and "Secure" settings are present in the line returned.

Confirm that the line does not contain the "Domain" cookie setting.

Verify the "headers_module (shared)" module is loaded in the web server:

"# httpd -M
Verify " headers_module (shared)" is returned in the list of Loaded Modules from the above command."

If the "headers_module (shared)" is not loaded, this is a finding.

Check Content Reference

M

Target Key

3996

Comments