-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sumit,
On 7/20/19 08:47, Sumit Bhardwaj wrote: > Hi, > > We are using tomcat 9 and getting following two vulnerabilities in > security scans. > > Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not > Contain The "HTTPOnly" Attribute (1) Does the security scan tell you the NAME of the cookie(s) without these attributes? > We have done things mentioned in > https://geekflare.com/secure-cookie-flag-in-tomcat/ > > <cookie-config> <http-only>true</http-only> <secure>true</secure> > </cookie-config> > > and also updating the *context.xml for *useHttpOnly="true" It has > not helped. Nor surprising, since both of those are the default settings when using HTTPS. You *are* using HTTPS, right? > We also tried updating our web application's web.xml with the > cookie-config, but it has also not helped. > > What else do we need to do? Are you using a load-balancer? If so, what is the setup? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0zFYkACgkQHPApP6U8 pFjdcw//QclBk/X1qPXzUtG+5zR/V7WNaALYN+14mY2l14/yp4XJbMC3fCcO3RFe l3hhScjQU6lWmKECN6fB6tXcjHTds4wYCnVifVHa/cQI8cQ7FK5p755lzAybbw+G UzGqGNZ8IYVcGtLGHxwSTv7iKQ4PTynHaVO8rcC6hNXg6YfMsle6YuWxG8+HGkhn 6H0Lqk0bqgX5ZGsjw8bc2r8AgICQye7trpH6UIdIAHmYwzXtlle5r6orR2O7pVJp KvViPKuUinJOPcGbMV0wh2iQxLaWy8ZNiJy/YcHS+Z8A/M3kigrwigc+Lt3c9PYz wLBOPNoOmvK/4csdR0UA7iOYbTXZdsdSk19Rfh+CdC0Tb9rF7klVnLp/qFodEFBQ EdruM20y8MD0XRaYmPGx+gjr2CqR9htBttpV9QnGooBV9BNO78FVSGo9+sBrwEIr UBs8R/Qs9ozHt12S6rY+eF4yY2H9SZLZKYihg1DF3VcQiHahnKaprI3KYSVar2P3 0h7gDx7L/QBLCt09h/70ECSordtGGn2AXIKHCuIbakYxYB16s3poPY/pYZdoc9YN GovTKKyvN4nHGv34eF+hJd3gFMRIBINLl0B6gf9gOoYUmu0lM+2C9gNZPhOb2dIM VXI4hnfWly9+G+MzTv94jpcQnilhxmO4Rz+2XzWXKFB5eERbYho= =3xaO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org