RE: httpOnly issue
Hi All I owe an apology, sorry. Although I'd removed all apps I hadn't removed the instrumentation settings from start up. With these removed the issue has gone away. Thanks for the support Mark -Original Message- From: Pritchett, Mark S. (CONT) Sent: 08 March 2017 13:29 To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: httpOnly issue Hi Mark The problem remains if I remove all the webapps except ROOT. Regards Mark -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 08 March 2017 13:23 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: httpOnly issue On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'. > My understanding is that httpOnly is the default with this version of > tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: httpOnly issue
Hi Mark The problem remains if I remove all the webapps except ROOT. Regards Mark -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 08 March 2017 13:23 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: httpOnly issue On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'. > My understanding is that httpOnly is the default with this version of > tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: httpOnly issue
On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'. > My understanding is that httpOnly is the default with this version of tomcat: > https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
