Problem

When sending an invalid cookie to the AdminUI, the contents of the cookie will be logged in $FILEDRIVEHOME/tomcat/admin/logs/catalina.out.

In general, not logging invalid inputs is considered a security risk when the attack vector is not clearly described and logs can help detect and investigate malicious activity. However, if your Security Team requests the cookie contents not be logged, you can suppress it as shown in this article.

Resolution

WARNING: The described edits must be redone after every Update applied to SecureTransport.

For Linux

Go to the $FILEDRIVEHOME/conf folder

Unzip the LocalStrings.properties file by executing the below command (mind that there are multiple files with the same name and you should follow the exact instructions):

unzip ../tomcat/lib/tomcat-coyote.jar org/apache/tomcat/util/http/parser/LocalStrings.properties

Modify the value on the line starting with cookie.invalidCookieValue and remove the [{0}] from the text. The final form should look like this:

A cookie header was received that contained an invalid cookie. That cookie will be ignored.

Restart the Admin service.

For Windows

You will have to extract the LocalStrings.properties file with an archiving software and place it under $FILEDRIVEHOME\conf\org\apache\tomcat\util\http\parser. This folder will have to be created manually beforehand.

After that, follow the modification steps for Linux as described above.