STIGQter STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Cookies must have http-only flag set.

DISA Rule

SV-222933r615938_rule

Vulnerability Number

V-222933

Group Title

SRG-APP-000033-AS-000024

Rule Version

TCAT-AS-000080

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true.

EXAMPLE:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

Check Contents

From the Tomcat server console, run the following command:

sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml

If the command returns no results or if the <http-only> element is not set to true, this is a finding.

EXAMPLE:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

Vulnerability Number

V-222933

Documentable

False

Rule Version

TCAT-AS-000080

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml

If the command returns no results or if the <http-only> element is not set to true, this is a finding.

EXAMPLE:
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>

Check Content Reference

M

Target Key

4094

Comments