RE: httpOnly issue
Hi All I owe an apology, sorry. Although I'd removed all apps I hadn't removed the instrumentation settings from start up. With these removed the issue has gone away. Thanks for the support Mark -Original Message- From: Pritchett, Mark S. (CONT) Sent: 08 March 2017 13:29 To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: httpOnly issue Hi Mark The problem remains if I remove all the webapps except ROOT. Regards Mark -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 08 March 2017 13:23 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: httpOnly issue On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'. > My understanding is that httpOnly is the default with this version of > tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: httpOnly issue
Hi Mark The problem remains if I remove all the webapps except ROOT. Regards Mark -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 08 March 2017 13:23 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: httpOnly issue On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'. > My understanding is that httpOnly is the default with this version of > tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: httpOnly issue
On 08/03/17 12:53, Pritchett, Mark S. (CONT) wrote: > Hi All > > My first posting. > > Server version: Apache Tomcat/7.0.67 > JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 > > A vulnerability scan has shown that tomcat doesn't apply httpOnly to come > cookies. > I need to determine if this can be 'corrected'. > My understanding is that httpOnly is the default with this version of tomcat: > https://tomcat.apache.org/tomcat-7.0-doc/config/context.html > Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the > issue is still reported by a scan. > > Any ideas please? Read the docs more carefully. useHttpOnly applies to session cookies. Any cookie the application creates, the application has to set the httpOnly attribute appropriately. You have an application problem, not a Tomcat problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
httpOnly issue
Hi All My first posting. Server version: Apache Tomcat/7.0.67 JVM Version:1.7.0_131-mockbuild_2017_02_07_02_15-b00 A vulnerability scan has shown that tomcat doesn't apply httpOnly to come cookies. I need to determine if this can be 'corrected'. We're scanning using ZAP, https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project It finds that the base URL, has several cookies like this example Cookie No HttpOnly Flag Cookie No HttpOnly Flag 1 2 Low (Medium) pA cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible./p https://localhost:8443/ ADRUM_BTa=R:0|g:2a2c9071-b525-4756-9f91-9dee7e72e8f0; Version=1; Max-Age=30; Expires=Wed, 08-Mar-2017 08:47:00 GMT; Path=/; Secure ADRUM_BTa=R:0|g:2a2c9071-b525-4756-9f91-9dee7e72e8f0; Version=1; Max-Age=30; Expires=Wed, 08-Mar-2017 08:47:00 GMT; Path=/; Secure My understanding is that httpOnly is the default with this version of tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the issue is still reported by a scan. Any ideas please? Regards Mark The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
