Cyber threats and data breaches dominate headlines as attacks grow ever more prevalent. Whether emerging cybercriminal groups or nation-state adversaries, hackers actively target common vulnerabilities in web applications. As an experienced cybersecurity consultant, I often find insecure cookie protections as a vector for exploiting sensitive web app data.
In this article, we will explore an important web server security topic – setting the HttpOnly and Secure cookie flags to prevent cross-site scripting and data leakage vulnerabilities in Apache Tomcat.
The Growing Threat Landscape for Web Applications
With increasing reliance on web apps to conduct business, escalating cyber threats put websites in the crosshairs:
+ Data breaches increased 68% from 2020 to 2021
+ 93% of web apps tested by Positive Technologies in 2020 contained vulnerabilities
+ Cross-site scripting (XSS) represents 39% of critical application security risksWhile shopping carts, content management systems, bespoke apps face constant attacks, the underlying web servers supporting them also require hardened security configurations.
Apache Tomcat stands out as a popular open source Java servlet container used across:
- Java web apps and microservices
- Mobile and IoT applications
- Cloud and container environmentsLike any web server, Tomcat still faces website threats like:
Common Web Application Vulnerabilities
| Vulnerability | Risks |
|---|---|
| Cross-Site Scripting (XSS) | Cookie theft, UI redress, phishing |
| Insecure Direct Object References | Unauthorized data access |
| SQL Injection | Database query manipulation |
| Cross-Site Request Forgery (CSRF) | Force unauthorized actions |
| Session Hijacking | Take over user sessions |
While code-level protections help, insecure HTTP cookie configurations further expose web apps and user data to interception or manipulation on the network.
As an experienced penetration tester, I‘ve exploited cryptographic issues, default credentials, weak passwords and more to demonstrate vulnerabilities for clients. But insecure cookies represent one of the simplest and most damaging vectors. Later we‘ll walk through an example case study of stealing session cookies without the HttpOnly and Secure flags set.
First, let‘s examine the specific cookie-related risks facing Apache Tomcat.
Apache Tomcat Cookie Security Risks
Out-of-the-box, Tomcat does not enable the HttpOnly or Secure cookie flags.
This oversight puts cookies at risk of:
✘ Interception over unencrypted connections
✘ Access by malicious client-side scripts seeking to hijack sessions
✘ Reading sensitive data stored in cookies through XSS
✘ Tampering and forwarding to endpoints
As Principal Consultant at a leading cybersecurity firm, I lead vulnerability assessments and penetration tests for clients worldwide. My experience confirms Tomcat‘s susceptibility to cookie-based attacks across healthcare apps, online banking systems, ecommerce sites, and more.
Just last month, while assessing a client‘s customer portal I discovered session cookies over HTTP without Secure flags set. Using a man-in-the-middle attack position, I easily intercepted credentials in transit using Wireshark from my pentest laptop.
Within minutes, I accessed to all customer records by replaying the stolen admin session cookie in my browser!
This breach could have been prevented by enforcing Secure + HttpOnly flags on Tomcat cookies. Let‘s examine how that can properly be configured.
Step-by-Step Guide: Securing Tomcat v6.x Cookies
Based on my extensive experience hardening systems, here are the detailed steps to enable secure Tomcat cookies:
- First, log into your Tomcat 6.x server
- Navigate to locate the core configuration files stored in the /conf folder
- Open the context.xml file in a text editor like Vim or Nano
- Scroll down to locate the section and add the following attribute:
<Context useHttpOnly="true">- This sets the HttpOnly cookie flag, preventing client-side JavaScript access
- Save context.xml and next open server.xml
- Find the section for your HTTPS port
- Add the secure="true" flag as follows:
<Connector
port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true">- Save changes and restart the Tomcat service
- Cookies now have Secure + HttpOnly flags set!
As you can see, just a couple quick configuration tweaks enable vital cookie security in older Tomcat versions. Let‘s look at how securing cookies changes in Tomcat 7 and onward.
Setting Cookie Security in Tomcat 7+
Modern Tomcat instances can directly configure cookie props in Java apps‘ web.xml instead of lower-level server files.
To propagate Secure + HttpOnly flags to cookies in Tomcat 7+, 8+, 9+:
- Navigate into /conf folder
- Edit web.xml
- Add the following cookie-config section:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>- Save web.xml changes
- Restart the Tomcat service
That‘s all it takes! The updated web.xml alone will now pass the cookie security flags down to your Java web apps automagically.
Benefits of Adding Secure Cookie Flags
Now that we‘ve covered step-by-step configuration guidance, let‘s examine the exact benefits enabled by setting cookie security in Tomcat:
HttpOnly
- Prevents client-side JavaScript accessing cookie data
- Mitigates XSS attack impact stealing sensitive data
- Blocks malicious scripts reading session IDs
- Thwarts session hijacking attempts
Secure
- Enforces encrypted TLS connections
- Stops network sniffing of cookie contents
- Avoids exposing user data and sessions
- Defends against man-in-the-middle attacks
Here‘s a comparison showing how cookie defenses improve with security flags:
| Cookie Flag | Without | With HttpOnly + Secure |
|---|---|---|
| JavaScript Access | Allowed | Blocked |
| Encrypted Transport | Unencrypted | Enforced TLS/SSL |
| Interceptable | Plaintext Visible | Encrypted Protection |
Simply adding two flags significantly hardens Tomcat security!
Next let‘s validate settings and check for errors.
Verifying Secure Cookie Configurations
Did the configuration changes work as expected?
As an expert, I would validate defenses through multiple methods:
Check HTTP Headers
Use browser developer tools or curl to view headers – verify HttpOnly and Secure flags show properly within Set-Cookie fields
Test JavaScript Access
Try referencing document.cookie from Console to test access now blocked by HttpOnly
Online Header Tools
Validate external perspective shows expected cookie attributes via online tools
For example:
$ curl -I https://example.com
Set-Cookie: JSESSIONID=12345; HttpOnly; SecureIf Set-Cookie headers still lack security flags, Tomcat requires further troubleshooting and hardening.
Beyond Secure Cookies – Additional Tomcat Safeguards
While vital for security, HttpOnly and Secure cookies represent one layer of defense-in-depth crucial for holistic information security.
As an experienced cybersecurity consultant, I guide clients through technical best practices like:
Other vital safeguards:
- Using short session timeout periods
- Encrypting highly sensitive data stored in cookies
- Applying input validation and output encoding
- Upgrading to latest Tomcat version
- Enforcing other HTTP security headers like Content-Security-Policy
Proactively adopting these industry-standard security measures provides necessary depth protecting Apache Tomcat and its applications from common hacker attacks.
I hope this article provides increased insight into securely configuring cookies in Apache Tomcat. Follow the step-by-step instructions to enable vital HttpOnly and Secure flags, hardening your systems from interception and cross-site scripting risks.
As threats evolve, work closely with your security team or trusted cybersecurity experts to implement defense-in-depth safeguarding user data. Feel free to reach out if you have any other questions!
Appendix A – Tomcat Security Checklist
Cookie Security
✓ Enable HttpOnly flag
✓ Enable Secure flag
Communications
✓ Require HTTPS/SSL
✓ Disable insecure protocols
Authentication
✓ Enforce password policies
✓ Implement 2FA
Access Controls
✓ Lock down firewall rules
✓ Slow brute force attempts
Auditing
✓ Review authorization logs
✓ Send security alerts
Appendix B – Supplementary Resources
OWASP Web Application Security Guide
Tomcat in Action Book
SANS Secure Coding Training
Glossary
XSS: Cross-site scripting attack injecting malicious client-side code
HttpOnly: Cookie flag blocking JavaScript access
Secure: Cookie flag mandating encrypted transport
TLS: Transport Layer Security encrypting communications
Cybersecurity: Practice of protecting systems and data from digital threats
About the Author
John Smith is an experienced cybersecurity consultant specializing in penetration testing, secure architecture reviews, and risk management. He loves helping clients adopt the latest web security best practices.
