I need to have the 'HttpOnly' and 'Secure' attributes set to 'true' to prevent the CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute and CWE-402: Transmission of Private Resources into a New Sphere flaws from showing in the Veracode report.
After doing some online searching, it seems that the best thing to do is to simply set the attributes in the project's web.xml file as follows:
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
However, I get an error message on the opening tag saying that "The content of element type "session-config" must match "(session-timeout)?".
I'm not sure what that means exactly. I'm guessing it has something to do with the order of elements but I don't really know how to fix it.
Any thoughts?
Thanks!