tc Server HORIZON must perform server-side session management.

From VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide

Associated with: CCI-000054

SV-100549r1_rule tc Server HORIZON must perform server-side session management.

Vulnerability discussion

Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. Session cookies stored on the server are more secure than cookies stored on the client. Therefore, tc Server must be configured correctly in order to generate and manage session cookies on the server. Managing cookies on the server provides a layer of defense to vRealize Automation.By default, tc Server is designed to manage cookies on the server. However, incorrect configuration can turn off the default feature.

Check content

At the command prompt, execute the following command: grep -E 'cookies=.false' /opt/vmware/horizon/workspace/conf/context.xml If the command produces any output, this is a finding.

Fix text

Navigate to and open /opt/vmware/horizon/workspace/conf/context.xml. Navigate to and locate the node. Remove the value 'cookies="false"' from the node.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.