Hi Sumit

Please see my response below your question.

-----Original Message-----
From: Sumit Bhardwaj <sumit.bhard...@gmail.com> 
Sent: Saturday, July 20, 2019 8:48 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Security vulnerabilities with tomcat 9

> Hi,
> We are using tomcat 9 and getting following two vulnerabilities in security 
> scans.
> Cookie Does Not Contain The "secure" Attribute (1)  Cookie Does Not Contain 
> The "HTTPOnly" Attribute (1)
> We have done things mentioned in
> https://geekflare.com/secure-cookie-flag-in-tomcat/
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
> and also updating the *context.xml for *useHttpOnly="true"
> It has not helped.
> We also tried updating our web application's web.xml with the cookie-config, 
> but it has also not helped.
> What else do we need to do?
> Best
> Sumit

We went through something similar during security scans.  We are currently 
running Tomcat 8.5.x.  Apache httpd manages the HTTPS, so TC does not use HTTPS 
in our config.  Made 2 changes to our application's web/xml.  Maybe it will 
work in TC 9.x also?

1. Inserted "web-app_3_1.xsd" into the web-app tag schemaLocation attribute:

<?xml version="1.0" encoding="UTF-8"?>

2. Inserted cookie-config and http-only tags into the existing session-config 
tag below session-timeout:


PLEASE NOTE: I am not an expert, but hopefully this information is correct 
enough to be useful.  If not, I trust some of the real experts to correct any 
errancies.  :-) 

ALSO, it may help them to help you if you answer their questions when they ask 
you for more details.  ;-)

Don't know about the <secure>true</secure> option.

Cris Berneburg
CACI Lead Software Engineer

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to