Hi Sumit

Please see my response below your question.

-----Original Message-----
From: Sumit Bhardwaj <sumit.bhard...@gmail.com> 
Sent: Saturday, July 20, 2019 8:48 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Security vulnerabilities with tomcat 9

> Hi,
>
> We are using tomcat 9 and getting following two vulnerabilities in security 
> scans.
>
> Cookie Does Not Contain The "secure" Attribute (1)  Cookie Does Not Contain 
> The "HTTPOnly" Attribute (1)
>
> We have done things mentioned in
> https://geekflare.com/secure-cookie-flag-in-tomcat/
>
> <cookie-config>
> <http-only>true</http-only>
> <secure>true</secure>
> </cookie-config>
>
> and also updating the *context.xml for *useHttpOnly="true"
> It has not helped.
>
> We also tried updating our web application's web.xml with the cookie-config, 
> but it has also not helped.
>
> What else do we need to do?
>
> Best
> Sumit

We went through something similar during security scans.  We are currently 
running Tomcat 8.5.x.  Apache httpd manages the HTTPS, so TC does not use HTTPS 
in our config.  Made 2 changes to our application's web/xml.  Maybe it will 
work in TC 9.x also?

1. Inserted "web-app_3_1.xsd" into the web-app tag schemaLocation attribute:

<?xml version="1.0" encoding="UTF-8"?>
<web-app
  xmlns="http://xmlns.jcp.org/xml/ns/javaee";
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
    http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";
  version="3.1"
  metadata-complete="true">

2. Inserted cookie-config and http-only tags into the existing session-config 
tag below session-timeout:

    <session-config>
        <session-timeout>15</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
        </cookie-config>
    </session-config>   

PLEASE NOTE: I am not an expert, but hopefully this information is correct 
enough to be useful.  If not, I trust some of the real experts to correct any 
errancies.  :-) 

ALSO, it may help them to help you if you answer their questions when they ask 
you for more details.  ;-)

Don't know about the <secure>true</secure> option.

--
Cris Berneburg
CACI Lead Software Engineer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to