Fixing session cookie related vulnerabilties(secure and httpOnly)

Foros de discusión

Srvna R, modificado hace 10 años.

Fixing session cookie related vulnerabilties(secure and httpOnly)

New Member Mensajes: 10 Fecha de incorporación: 9/07/13 Mensajes recientes

Hi,
Our application security scanning has resulted in the below two vulnerabilities:

1. Session Cookie Does Not Contain The "secure" Attribute
2. Session Cookie Does Not Contain The "HTTPOnly" Attribute

We tried fixing it by making the below code snippet changes in web.xml(WEB-INF) of the application. Tomcat server(7.0.42) was restarted after these changes.

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>

When we scanned the application again for the vulnerabilities , we received the above two errors even after making the above mentioned changes. Kindly help us by providing the suggestions for the below queries:

1. Do we need to restart Apache server(2.2.15) after making the web.xml changes for the changes to be reflected. Or will only tomcat restart suffice?
2. Any other alternative suggestions to fix the vulnerabilities as the above mentioned changes don't seem to work. (Most Suggestions in the internet seem to suggest the above fix)

Thanks in advance for your help.

Prakash Khanchandani, modificado hace 10 años.

RE: Fixing session cookie related vulnerabilties(secure and httpOnly)

Expert Mensajes: 329 Fecha de incorporación: 10/02/11 Mensajes recientes

try adding these to tomcat's web.xml at location \tomcat-7.0.42\conf