tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pritchett, Mark S. (CONT)" <>
Subject httpOnly issue
Date Wed, 08 Mar 2017 12:53:23 GMT
Hi All

My first posting.

Server version: Apache Tomcat/7.0.67
JVM Version:    1.7.0_131-mockbuild_2017_02_07_02_15-b00

A vulnerability scan has shown that tomcat doesn't apply httpOnly to come cookies.
I need to determine if this can be 'corrected'.

We're scanning using ZAP,
It finds that the base URL, has several cookies like this example

  <alert>Cookie No HttpOnly Flag</alert>
  <name>Cookie No HttpOnly Flag</name>
  <riskdesc>Low (Medium)</riskdesc>
  <desc>&lt;p&gt;A cookie has been set without the HttpOnly flag, which means
that the cookie can be accessed by JavaScript. If a malicious script can be run on this page
then the cookie will be accessible and can be transmitted to another site. If this is a session
cookie then session hijacking may be possible.&lt;/p&gt;</desc>
  <param>ADRUM_BTa=&quot;R:0|g:2a2c9071-b525-4756-9f91-9dee7e72e8f0&quot;; Version=1;
Max-Age=30; Expires=Wed, 08-Mar-2017 08:47:00 GMT; Path=/; Secure</param>
Version=1; Max-Age=30; Expires=Wed, 08-Mar-2017 08:47:00 GMT; Path=/; Secure</evidence>

My understanding is that httpOnly is the default with this version of tomcat:
Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the issue is still
reported by a scan.

Any ideas please?


The information contained in this e-mail is confidential and/or proprietary to Capital One
and/or its affiliates and may only be used solely in performance of work or services for Capital
One. The information transmitted herewith is intended only for use by the individual or entity
to which it is addressed. If the reader of this message is not the intended recipient, you
are hereby notified that any review, retransmission, dissemination, distribution, copying
or other use of, or taking of any action in reliance upon this information is strictly prohibited.
If you have received this communication in error, please contact the sender and delete the
material from your computer.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message