-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sumit,

On 7/20/19 08:47, Sumit Bhardwaj wrote:
> Hi,
> 
> We are using tomcat 9 and getting following two vulnerabilities in
> security scans.
> 
> Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not
> Contain The "HTTPOnly" Attribute (1)

Does the security scan tell you the NAME of the cookie(s) without
these attributes?

> We have done things mentioned in 
> https://geekflare.com/secure-cookie-flag-in-tomcat/
> 
> <cookie-config> <http-only>true</http-only> <secure>true</secure> 
> </cookie-config>
> 
> and also updating the *context.xml for *useHttpOnly="true" It has
> not helped.

Nor surprising, since both of those are the default settings when
using HTTPS. You *are* using HTTPS, right?

> We also tried updating our web application's web.xml with the 
> cookie-config, but it has also not helped.
> 
> What else do we need to do?

Are you using a load-balancer? If so, what is the setup?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0zFYkACgkQHPApP6U8
pFjdcw//QclBk/X1qPXzUtG+5zR/V7WNaALYN+14mY2l14/yp4XJbMC3fCcO3RFe
l3hhScjQU6lWmKECN6fB6tXcjHTds4wYCnVifVHa/cQI8cQ7FK5p755lzAybbw+G
UzGqGNZ8IYVcGtLGHxwSTv7iKQ4PTynHaVO8rcC6hNXg6YfMsle6YuWxG8+HGkhn
6H0Lqk0bqgX5ZGsjw8bc2r8AgICQye7trpH6UIdIAHmYwzXtlle5r6orR2O7pVJp
KvViPKuUinJOPcGbMV0wh2iQxLaWy8ZNiJy/YcHS+Z8A/M3kigrwigc+Lt3c9PYz
wLBOPNoOmvK/4csdR0UA7iOYbTXZdsdSk19Rfh+CdC0Tb9rF7klVnLp/qFodEFBQ
EdruM20y8MD0XRaYmPGx+gjr2CqR9htBttpV9QnGooBV9BNO78FVSGo9+sBrwEIr
UBs8R/Qs9ozHt12S6rY+eF4yY2H9SZLZKYihg1DF3VcQiHahnKaprI3KYSVar2P3
0h7gDx7L/QBLCt09h/70ECSordtGGn2AXIKHCuIbakYxYB16s3poPY/pYZdoc9YN
GovTKKyvN4nHGv34eF+hJd3gFMRIBINLl0B6gf9gOoYUmu0lM+2C9gNZPhOb2dIM
VXI4hnfWly9+G+MzTv94jpcQnilhxmO4Rz+2XzWXKFB5eERbYho=
=3xaO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to