Hi all,
I have a web application which uses Apache Tomcat version 7.0.55. Our application security team recently scanned the application for vulnerabilities and recommended that we needed to:
1. Ensure that the secure flag was set for cookies
2. Ensure that the HttpOnly flag was set for cookies.
So I went ahead and edited the web.xml and context.xml files as suggested by www.owasp.org
But the vulnerabilities were still apparent when our security team rescanned the application. They have suggested that because the web server is IIS, and the application server is Tomcat, is it possible that IIS configurations / settings are interfering or over-riding those of the application(config files)?
So I guess my question is this - is there something I can do within IIS to ensure that secure and HttpOnly flags are set? We are using IIS 7.5
Any advice greatly appreciated. Thanks.