Hi, We are using tomcat 9 and getting following two vulnerabilities in security scans.
Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not Contain The "HTTPOnly" Attribute (1) We have done things mentioned in https://geekflare.com/secure-cookie-flag-in-tomcat/ <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> and also updating the *context.xml for *useHttpOnly="true" It has not helped. We also tried updating our web application's web.xml with the cookie-config, but it has also not helped. What else do we need to do? Best Sumit
