Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is it possible to add the httpOnly attribute to the atlassian.xsrf.token cookie

Lee Flaxington
Lee Flaxington
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 17, 2018

After running an Alienvault USM scan against Jira, it found a medium vulnerability:

Port 443 'Vulnerability Detection Result: The cookies: Set-Cookie: atlassian.xsrf.token=xxxxxxxxxxxxxxxxxxxxx|lout; Path=/ are missing the "httpOnly" attribute. Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute.'

Looking at the network packets I can see that there are two cookies:

 

JSESSIONID has two attributes - 'secure: true' & 'httpOnly: true'

atlassian.xsrf.token has only one attribute - 'secure: true'

 

Is there a way to set the 'httpOnly: true' attribute on the atlassian.xsrf.token cookie.

Thanks in advance.

 

Answer
Watch
Like Be the first to like this
7813 views

4 answers

4 votes
Mahtab
Mahtab
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 3, 2019 edited

This has been addressed by our Atlassian security team, this attribute has been assessed and determined that making the http only would not improve security as an attacker who can XSS a Jira user can already obtain their csrf/xsrf token by making an Ajax request to a Jira page as the xsrf/csrf token is found in the meta information page.

The atlassian.xsrf.token does not require this flag as it's not an authentication cookie. An attacker in possession of that cookie would not be able to access Jira without the JSESSIONID one.

Basically, as long as you have the attribute useHTTPOnly set to true in your $JIRA-installation-directory/server.xml Tomcat config file:

<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">

The cookie JSESSIONID and other authentication cookies would be protected by the httponly flag. However, the reason why the atlassian.xsrf.token cookie doesn't require this flag, is because that cookie by itself cannot be used by an attacker to exploit JIRA authentication.

View More Comments
gudalasateesh
gudalasateesh June 1, 2022

Hello @Mahtab

please suggest this type of threats "Session Cookie path attribute not set" Is there any possible please answer me TQ

Like
Mahtab
Mahtab
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 2, 2022

@gudalasateesh 

Session Cookie path attribute not set

  • This is fine as the cookie root path / is for the domain only
  • This is required because anything after the / is accessed by the cookie session all different paths after (eg. /secure/Dashboard.jspa, /browse/TEST-1, etc)
  • If you want it specific without seeing the / as cookie, you can configure Jira to run with a context path: Set a context path for Atlassian applications
Like gudalasateesh likes this
Reply
1 vote
Powpow Shen
Powpow Shen September 20, 2018

Modifying tomcat configuration still kind of works, but you have to find out the version of Tomcat first. Open RELEASE-NOTE in tomcat-docs to see the version of tomcat, and then you can follow [this](https://geekflare.com/secure-cookie-flag-in-tomcat/) to set up httpOnly attribute.

The problem I am running into is that JIRA (version 7.8.1) can't log me in once httpOnly is set for atlassian.xsrf.token. Seems like JIRA set that cookie by javascript.

Reply
1 vote
Andrzej Talarek
Andrzej Talarek
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 1, 2018

We suffer the same issue - Openvas claims with 5.0 (MEDIUM) security score.

Atlassian - will you please fix this?

View More Comments
Stefan Kirch
Stefan Kirch July 23, 2018

Having the same issue in Jira (7.11.0, build 711000).

Tryed the solution mentioned below from Ceiba Software but that doesn´t work.

Also I´m not sure if I applied it correct. Changed context.xml from:

<Context>
    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

to:

<Context useHttpOnly="true">
    <Manager/>
    <!-- Default set of monitored resources. If one of these changes, the    -->
    <!-- web application will be reloaded.                                   -->
    <WatchedResource>WEB-INF/web.xml</WatchedResource>
    <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>

    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
    <!--
    <Manager pathname="" />
    -->
</Context>

 

Also tried to add

<http-only>true</http-only>
<secure>true</secure>

into the <session-config> of atlassian-jira/WEB-INF/web.xml

 

of course i restarted jira after the changes...

 

Can anyone help me with this?

Like
Reply
0 votes
Ceiba_Software
Ceiba_Software
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 28, 2018 edited

i found : 

 

https://confluence.atlassian.com/jira064/preventing-security-attacks-720412500.html#PreventingSecurityAttacks-ConfiguringTomcattouseHttpOnlySessionIDCookies

 

this is related to : https://confluence.atlassian.com/jira064/jira-security-advisory-2010-06-18-720415809.html

 

Open the context.xml file of the Tomcat installation running JIRA in a text editor.

 

Add the following Manager element within the Contextelement of this file:

...
<Context useHttpOnly="true">
  ...
  <Manager/>
  ...
</Context>
...

(info) To disable HttpOnly Session ID cookies, change the value of the useHttpOnly parameter to false.

View More Comments
Michael Aglas
Michael Aglas
Contributor
October 28, 2021

the original question was about the xsrf token, not the session ID

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
atlassian, atlassian government cloud, fedramp, webinar, register for webinar, atlassian cloud webinar, fedramp moderate offering, work faster with cloud

Unlocking the future with Atlassian Government Cloud ☁️

Atlassian Government Cloud has achieved FedRAMP Authorization at the Moderate level! Join our webinar to learn how you can accelerate mission success and move work forward faster in cloud, all while ensuring your critical data is secure.

Register Now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.