• Compliance Result: TOMCAT CONFIGURATION PROVIDED AS PART OF APPLICATION INSTALL. CHECK WITH VENDOR ON IMPACT OF THESE MODIFICATIONS.
• Notes: <session-config>
Can you answer whether this will impact Spectrum negatively? the suggested fix for the finding:
From the Tomcat server console as a privileged user:
edit the $CATALINA_BASE/conf/web.xml
If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true.
It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header.
The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.
Release : 21.2
Component : Spectrum OneClick
DX Netops Spectrum already includes the <session-config> out of the box in the web.xml file.
The other settings have been determined to not be required. Tomcat does this by default.
Internal testing determined that Tomcat is setting the http-only flag on its own without the configuration.
OC Webserver configured with HTTP(NON-SSL) HttpOnly flag is enabled:
OC Webserver configured with HTTPS(SSL):
However, these settings can be enabled if required and should not affect the product in anyway. However, Broadcom feels it is not required as it is handled properly already.