If you have a load balancer you will need to add these attributes there as well...
Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Sumit Bhardwaj <[email protected]> Date: 7/20/19 8:52 AM (GMT-05:00) To: Tomcat Users List <[email protected]> Subject: Security vulnerabilities with tomcat 9 Hi, We are using tomcat 9 and getting following two vulnerabilities in security scans. Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not Contain The "HTTPOnly" Attribute (1) We have done things mentioned in https://geekflare.com/secure-cookie-flag-in-tomcat/ <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> and also updating the *context.xml for *useHttpOnly="true" It has not helped. We also tried updating our web application's web.xml with the cookie-config, but it has also not helped. What else do we need to do? Best Sumit --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
