Vue combinée Vue Plate Arborescence
Sujets [ Précédent | Suivant ]
toggle
Srvna R
Fixing session cookie related vulnerabilties(secure and httpOnly)
27 septembre 2013 06:10
Réponse

Srvna R

Rang: New Member

Publications: 10

Date d'inscription: 9 juillet 2013

Publications Récentes

Hi,
Our application security scanning has resulted in the below two vulnerabilities:

1. Session Cookie Does Not Contain The "secure" Attribute
2. Session Cookie Does Not Contain The "HTTPOnly" Attribute

We tried fixing it by making the below code snippet changes in web.xml(WEB-INF) of the application. Tomcat server(7.0.42) was restarted after these changes.

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>

When we scanned the application again for the vulnerabilities , we received the above two errors even after making the above mentioned changes. Kindly help us by providing the suggestions for the below queries:

1. Do we need to restart Apache server(2.2.15) after making the web.xml changes for the changes to be reflected. Or will only tomcat restart suffice?
2. Any other alternative suggestions to fix the vulnerabilities as the above mentioned changes don't seem to work. (Most Suggestions in the internet seem to suggest the above fix)

Thanks in advance for your help.
Prakash Khanchandani
RE: Fixing session cookie related vulnerabilties(secure and httpOnly)
8 octobre 2013 06:11
Réponse

Prakash Khanchandani

Rang: Regular Member

Publications: 236

Date d'inscription: 10 février 2011

Publications Récentes

try adding these to tomcat's web.xml at location \tomcat-7.0.42\conf