On 30/11/2017 06:53, Naga Ramesh wrote:
> Team,
>
> We are facing some issues on security level testing time, so please
> check the below mentioned issues and suggest me the changes on tomcat
> level ASAP.
>
> 1. *Session Cookie do not contain secure attribute:* for this
> what are all the changes I need to take are on tomcat level
>
> 2. *Site susceptible to Man-In-The-Middle HTTPS Downgrade
> attack*: Here we have used the AWS ELB with SSL and mapped to the
> tomcat instance, but in testing time instance went to http instead
> of Https, so what are all the changes need to take care for this
> issues on tomcat level.
>
> Versions:
> Tomcat version: tomcat-8.0.33
> Java Version: 1.8.0_60-b27
>
> And also attached the server.xml, web.xml & context file of tomcat/conf.
Thank you for providing the version and configuration details. To answer
your questions we need to know a little more information.
What is the (expected) path when the user makes an HTTP request? Is it:
User --------> AWS --------> Tomcat
(HTTP) (HTTP)
What is the (expected) path when the user makes an HTTPS request? Is it:
User --------> AWS --------> Tomcat
(HTTPS) (HTTP)
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
