Hi All My first posting.
Server version: Apache Tomcat/7.0.67 JVM Version: 1.7.0_131-mockbuild_2017_02_07_02_15-b00 A vulnerability scan has shown that tomcat doesn't apply httpOnly to come cookies. I need to determine if this can be 'corrected'. We're scanning using ZAP, https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project It finds that the base URL, has several cookies like this example <alert>Cookie No HttpOnly Flag</alert> <name>Cookie No HttpOnly Flag</name> <riskcode>1</riskcode> <confidence>2</confidence> <riskdesc>Low (Medium)</riskdesc> <desc><p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</p></desc> <instances> <instance> <uri>https://localhost:8443/</uri> <param>ADRUM_BTa="R:0|g:2a2c9071-b525-4756-9f91-9dee7e72e8f0"; Version=1; Max-Age=30; Expires=Wed, 08-Mar-2017 08:47:00 GMT; Path=/; Secure</param> <evidence>ADRUM_BTa="R:0|g:2a2c9071-b525-4756-9f91-9dee7e72e8f0"; Version=1; Max-Age=30; Expires=Wed, 08-Mar-2017 08:47:00 GMT; Path=/; Secure</evidence> </instance> My understanding is that httpOnly is the default with this version of tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html Even so, I have set useHttpOnly in $CATALINA_BASE/conf/context.xml, but the issue is still reported by a scan. Any ideas please? Regards Mark ________________________________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.