How to add secure cookie flag on Jira (or any Apache Tomcat) server

Written by Claudio Kuenzler - 0 comments

Published on March 9th 2022 - Listed in Atlassian Tomcat Security TLS SSL

---

Vulnerability and security scanners might alert when a HTTPS site does not contain the "secure" flag in the "set-cookie" response header.

This situation often happens when HTTPS/SSL offloading is used in front of the web application server. A reverse proxy or load balancer handles the encrypted https communication between the client and the infrastructure and then (often) communicates with plain HTTP to the application server in the internal network.

[Client] ----> https://jira.example.com [Reverse Proxy] ----> http://jiraserver.internal:8080 [Application Server]

The missing secure flag in the set-cookie header can be verified very quickly using curl:

$ curl -s  https://jira.example.com -I|grep SESSION
set-cookie: JSESSIONID=CFAF22396081CF4330BD8E5A741F1AE7; Path=/; HttpOnly

Jira uses Tomcat in the background and Tomcat's server.xml should already be partially prepared for this setup, by setting the proxyName, proxyPort and the HTTP scheme to https:

<!-- Communication via Reverse Proxy jira.example.com -->
        <Connector port="8080"
                   relaxedPathChars="[]|"
                   relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   bindOnInit="false"
                   proxyName="jira.example.com"
                   proxyPort="443"
                   scheme="https" />

But that's not enough for Tomcat to enhance the "set-cookie" header with the secure flag. An additional parameter is required in the <Connector> context:

<!-- Communication via Reverse Proxy jira.example.com -->
        <Connector port="8080"
                   relaxedPathChars="[]|"
                   relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   bindOnInit="false"
                   proxyName="jira.example.com"
                   proxyPort="443"
                   secure="true"
                   scheme="https" />

Here the secure="true" parameter was added to the Connector.

After a Jira restart (/etc/init.d/jira stop, followed by a /etc/init.d/jira start), the secure flag is now set:

$ curl -s  https://jira.example.com -I|grep SESSION
set-cookie: JSESSIONID=4BCCC0389B0EA625F4B725E1DC415CD1; Path=/; Secure; HttpOnly

Of course this basically applies to all Tomcat servers (therefore also Atlassian Confluence).

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.