'TCAT-AS-000080 - Cookies must have http-only flag set.' (Vuln ID: V-222933)

book

Article ID: 224577

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

• Compliance Result: TOMCAT CONFIGURATION PROVIDED AS PART OF APPLICATION INSTALL. CHECK WITH VENDOR ON IMPACT OF THESE MODIFICATIONS.
• Notes: <session-config>
        <session-timeout>30</session-timeout>
    </session-config>

 

Can you answer whether this will impact Spectrum negatively?  the suggested fix for the finding:

From the Tomcat server console as a privileged user:

edit the $CATALINA_BASE/conf/web.xml

If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true.

EXAMPLE:
<session-config>
   <session-timeout>15</session-timeout>
     <cookie-config>
       <http-only>true</http-only>
        <secure>true</secure>
     </cookie-config>
</session-config>

 

It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header.

The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the <cookie-config> element.

Environment

Release : 21.2

Component : Spectrum OneClick

Resolution

DX Netops Spectrum already includes the <session-config> out of the box in the web.xml file.

<session-config>

        <session-timeout>30</session-timeout>

         </session-config>

The other settings have been determined to not be required.  Tomcat does this by default.

Internal testing determined that Tomcat is setting the http-only flag on its own without the configuration.

OC Webserver configured with HTTP(NON-SSL) HttpOnly flag is enabled:

              

OC Webserver configured with HTTPS(SSL):

However, these settings can be enabled if required and should not affect the product in anyway.  However, Broadcom feels it is not required as it is handled properly already.