Is it possible to add the httpOnly attribute to the atlassian.xsrf.token cookie

Lee Flaxington January 17, 2018

After running an Alienvault USM scan against Jira, it found a medium vulnerability:

Port 443 'Vulnerability Detection Result: The cookies: Set-Cookie: atlassian.xsrf.token=xxxxxxxxxxxxxxxxxxxxx|lout; Path=/ are missing the "httpOnly" attribute. Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute.'

Looking at the network packets I can see that there are two cookies:

 

JSESSIONID has two attributes - 'secure: true' & 'httpOnly: true'

atlassian.xsrf.token has only one attribute - 'secure: true'

 

Is there a way to set the 'httpOnly: true' attribute on the atlassian.xsrf.token cookie.

Thanks in advance.

 

4 answers

4 votes
Mahtab
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 3, 2019

This has been addressed by our Atlassian security team, this attribute has been assessed and determined that making the http only would not improve security as an attacker who can XSS a Jira user can already obtain their csrf/xsrf token by making an Ajax request to a Jira page as the xsrf/csrf token is found in the meta information page.

The atlassian.xsrf.token does not require this flag as it's not an authentication cookie. An attacker in possession of that cookie would not be able to access Jira without the JSESSIONID one.

Basically, as long as you have the attribute useHTTPOnly set to true in your $JIRA-installation-directory/server.xml Tomcat config file:

<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">

The cookie JSESSIONID and other authentication cookies would be protected by the httponly flag. However, the reason why the atlassian.xsrf.token cookie doesn't require this flag, is because that cookie by itself cannot be used by an attacker to exploit JIRA authentication.

gudalasateesh June 1, 2022

Hello @Mahtab

please suggest this type of threats "Session Cookie path attribute not set" Is there any possible please answer me TQ

Mahtab
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 2, 2022

@gudalasateesh 

Session Cookie path attribute not set

  • This is fine as the cookie root path / is for the domain only
  • This is required because anything after the / is accessed by the cookie session all different paths after (eg. /secure/Dashboard.jspa, /browse/TEST-1, etc)
  • If you want it specific without seeing the / as cookie, you can configure Jira to run with a context path: Set a context path for Atlassian applications
Like gudalasateesh likes this
1 vote
Powpow Shen September 20, 2018

Modifying tomcat configuration still kind of works, but you have to find out the version of Tomcat first. Open RELEASE-NOTE in tomcat-docs to see the version of tomcat, and then you can follow [this](https://geekflare.com/secure-cookie-flag-in-tomcat/) to set up httpOnly attribute.

The problem I am running into is that JIRA (version 7.8.1) can't log me in once httpOnly is set for atlassian.xsrf.token. Seems like JIRA set that cookie by javascript.

1 vote
Andrzej Talarek March 1, 2018

We suffer the same issue - Openvas claims with 5.0 (MEDIUM) security score.

Atlassian - will you please fix this?

Stefan Kirch July 23, 2018

Having the same issue in Jira (7.11.0, build 711000).

Tryed the solution mentioned below from Ceiba Software but that doesn´t work.

Also I´m not sure if I applied it correct. Changed context.xml from:

<Context>
    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

to:

<Context useHttpOnly="true">
    <Manager/>
    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

 

Also tried to add

<http-only>true</http-only>
<secure>true</secure>

into the <session-config> of atlassian-jira/WEB-INF/web.xml

 

of course i restarted jira after the changes...

 

Can anyone help me with this?

0 votes
Ceiba_Software March 28, 2018

i found : 

 

https://confluence.atlassian.com/jira064/preventing-security-attacks-720412500.html#PreventingSecurityAttacks-ConfiguringTomcattouseHttpOnlySessionIDCookies

 

this is related to : https://confluence.atlassian.com/jira064/jira-security-advisory-2010-06-18-720415809.html

 

Open the context.xml file of the Tomcat installation running JIRA in a text editor.

 

Add the following Manager element within the Contextelement of this file:

...
<Context useHttpOnly="true">
  ...
  <Manager/>
  ...
</Context>
...

(info) To disable HttpOnly Session ID cookies, change the value of the useHttpOnly parameter to false.

Michael Aglas October 28, 2021

the original question was about the xsrf token, not the session ID

Suggest an answer

Log in or Sign up to answer