Hi Sumit Please see my response below your question.
-----Original Message----- From: Sumit Bhardwaj <sumit.bhard...@gmail.com> Sent: Saturday, July 20, 2019 8:48 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Security vulnerabilities with tomcat 9 > Hi, > > We are using tomcat 9 and getting following two vulnerabilities in security > scans. > > Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not Contain > The "HTTPOnly" Attribute (1) > > We have done things mentioned in > https://geekflare.com/secure-cookie-flag-in-tomcat/ > > <cookie-config> > <http-only>true</http-only> > <secure>true</secure> > </cookie-config> > > and also updating the *context.xml for *useHttpOnly="true" > It has not helped. > > We also tried updating our web application's web.xml with the cookie-config, > but it has also not helped. > > What else do we need to do? > > Best > Sumit We went through something similar during security scans. We are currently running Tomcat 8.5.x. Apache httpd manages the HTTPS, so TC does not use HTTPS in our config. Made 2 changes to our application's web/xml. Maybe it will work in TC 9.x also? 1. Inserted "web-app_3_1.xsd" into the web-app tag schemaLocation attribute: <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1" metadata-complete="true"> 2. Inserted cookie-config and http-only tags into the existing session-config tag below session-timeout: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> PLEASE NOTE: I am not an expert, but hopefully this information is correct enough to be useful. If not, I trust some of the real experts to correct any errancies. :-) ALSO, it may help them to help you if you answer their questions when they ask you for more details. ;-) Don't know about the <secure>true</secure> option. -- Cris Berneburg CACI Lead Software Engineer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org