VCUI-67-000030 - vSphere UI must set the secure flag for cookies.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel. vSphere UI is configured to only be accessible over a TLS tunnel, but this cookie flag is still a recommended best practice.


Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/web.xml.

Navigate to the /<web-apps>/<session-config>/<cookie-config> node and configure it as follows:


See Also

Item Details

References: CAT|II, CCI|CCI-002418, Rule-ID|SV-239711r679239_rule, STIG-ID|VCUI-67-000030, Vuln-ID|V-239711

Plugin: Unix

Control ID: 437cd039954f76e992b6c8153ed21265f1d4d6189cb040d82c2c34f67c41d535