Remedy smart IT vulnerability scan OWASP finding insecure cookie

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy with Smart IT


    COMPONENT:

    Remedy with Smart IT


    APPLIES TO:

    Smart IT 1.x



    PROBLEM:

     

                         
    Problem Summary # Please resolve following Remedy smart IT vulnerability scan OWASP finding insecure cookie: 

    Cookie Vulnerabilities - [OWASP 2013 A 2] 
    1. Cookie does not have secure attribute. 

     

     


    SOLUTION:

     

       
    1. To make cookies secure,  ‘secure’ flag can be set in web apps configuration.  To do this in Smart IT , please locate Smart IT servers web config usually resides in folder -> C:\Program Files\BMC Software\Smart_IT_MyIT\Smart_IT_MyIT\ux\WEB-INF\web.xml
    2.  
    3. Following configuration can be added /updated to make cookie secure.  (Attached web.xml for reference)
                           
                 <session-config>
                                 <cookie-config>
                                               <http-only>true</http-only>
                                               <secure>true</secure>
                                 </cookie-config>
                                 <tracking-mode>COOKIE</tracking-mode>
                  </session-config>
     
      
      
      
      
      
      
      
      
       
       
    1. Changes to web config needs restart of Smart IT server.

     


    Article Number:

    000141241


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles