Bamboo 4.2 : Configuring Tomcat to Use HttpOnly Session ID Cookies

Bamboo distributions from version 2.5.5 now enforce the HttpOnly flag on session ID cookies by default, as a means to minimise the risk of common XSS attacks. For more information about this feature, please refer to the Bamboo Security Advisory 2010-05-04.

If you are running the Bamboo EAR-WAR distribution on Tomcat (or another application server that is unsupported), it is likely that Bamboo's session ID cookies will not be transmitted with the HttpOnly flag. To reduce the risk of common XSS attacks, we recommend that you configure your application server to transmit HttpOnly session ID cookies.

To configure Bamboo EAR-WAR distribution running on Tomcat to use HttpOnly Session ID Cookies:

  1. Shutdown the Bamboo service running on Tomcat and the Tomcat application server.
  2. Open the context.xml file of the Tomcat installation running Bamboo in a text editor.
    (info) This file is typically located in the conf subdirectory of the main Tomcat installation directory.
  3. Add the following Manager element within the Contextelement of this file:

    ...
    <Context>
      ...
      <Manager useHttpOnly="true"/>
      ...
    </Context>
    ...

    (info) To disable HttpOnly Session ID cookies, either remove this Manager element or change the value of its useHttpOnly parameter to false.

  4. Save your changes to the context.xml file.
  5. Restart Bamboo.