Is it possible to add the httpOnly attribute to the atlassian.xsrf.token cookie

After running an Alienvault USM scan against Jira, it found a medium vulnerability:

Port 443 'Vulnerability Detection Result: The cookies: Set-Cookie: atlassian.xsrf.token=xxxxxxxxxxxxxxxxxxxxx|lout; Path=/ are missing the "httpOnly" attribute. Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute.'

Looking at the network packets I can see that there are two cookies:

 

JSESSIONID has two attributes - 'secure: true' & 'httpOnly: true'

atlassian.xsrf.token has only one attribute - 'secure: true'

 

Is there a way to set the 'httpOnly: true' attribute on the atlassian.xsrf.token cookie.

Thanks in advance.

 

3 answers

This widget could not be displayed.

We suffer the same issue - Openvas claims with 5.0 (MEDIUM) security score.

Atlassian - will you please fix this?

Having the same issue in Jira (7.11.0, build 711000).

Tryed the solution mentioned below from Ceiba Software but that doesn´t work.

Also I´m not sure if I applied it correct. Changed context.xml from:

<Context>
    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

to:

<Context useHttpOnly="true">
    <Manager/>
    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

 

Also tried to add

<http-only>true</http-only>
<secure>true</secure>

into the <session-config> of atlassian-jira/WEB-INF/web.xml

 

of course i restarted jira after the changes...

 

Can anyone help me with this?

This widget could not be displayed.

i found : 

 

https://confluence.atlassian.com/jira064/preventing-security-attacks-720412500.html#PreventingSecurityAttacks-ConfiguringTomcattouseHttpOnlySessionIDCookies

 

this is related to : https://confluence.atlassian.com/jira064/jira-security-advisory-2010-06-18-720415809.html

 

Open the context.xml file of the Tomcat installation running JIRA in a text editor.

 

Add the following Manager element within the Contextelement of this file:

...
<Context useHttpOnly="true">
  ...
  <Manager/>
  ...
</Context>
...

(info) To disable HttpOnly Session ID cookies, change the value of the useHttpOnly parameter to false.

This widget could not be displayed.

Modifying tomcat configuration still kind of works, but you have to find out the version of Tomcat first. Open RELEASE-NOTE in tomcat-docs to see the version of tomcat, and then you can follow [this](https://geekflare.com/secure-cookie-flag-in-tomcat/) to set up httpOnly attribute.

The problem I am running into is that JIRA (version 7.8.1) can't log me in once httpOnly is set for atlassian.xsrf.token. Seems like JIRA set that cookie by javascript.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

296 views 1 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you