[CWD-2938] Set Crowd JSESSIONID as HTTPOnly in the default configuration

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.5.2
Affects Version/s: None
Component/s: None
Labels:
- no-advisory-required
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

This is to improve mitigation of XSS vulnerabilities.

joe added a comment - 04/Oct/2012 1:08 AM

For existing installations, the Crowd Context in apache-tomcat/conf/Catalina/localhost/crowd.xml needs to be edited from:

<Context path="/crowd" docBase="../../crowd-webapp" debug="0">

<Context path="/crowd" docBase="../../crowd-webapp" debug="0" useHttpOnly="true">

joe added a comment - 04/Oct/2012 1:08 AM For existing installations, the Crowd Context in apache-tomcat/conf/Catalina/localhost/crowd.xml needs to be edited from: <Context path= "/crowd" docBase= "../../crowd-webapp" debug= "0" > to <Context path= "/crowd" docBase= "../../crowd-webapp" debug= "0" useHttpOnly= " true " >

Assignee:: joe

Reporter:: VitalyA

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 04/Oct/2012 12:55 AM

Updated:: 15/Aug/2019 7:05 AM

Resolved:: 04/Oct/2012 2:13 AM

Details

Description

Attachments

Forms

Activity

Collapse comment: joe added a comment - 04/Oct/2012 1:08 AM

Expand comment: joe added a comment - 04/Oct/2012 1:08 AM

People

Dates