-
Suggestion
-
Resolution: Timed out
-
None
-
None
-
1
-
2
-
Our security department has scanned our Jira (v7.4.2#74004-sha1:586975d) using an IBM tool called Appscan. It reported a possible vulnerability. I have to prepare a response to indicate if this is a known problem and when or if it will be fixed. I require your assistance please. Text from the report follows:
- Missing Secure Attribute in Encrypted Session (SSL) Cookie- It may be possible to steal user and session information (cookies) that was sent during an encrypted session.
Recommendation: Add the 'Secure' attribute to all sensitive cookies.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSWSERVER-16436] Missing Secure Attribute in Encrypted Session (SSL) Cookie
steve moffat
added a comment - Found this in the forums... I need to add secure="true" in our server.xml, and re-test I think this will solve the issue.
secure="true"
proxyName="jira.example.com"
proxyPort="443"
scheme="https"
steve moffat
added a comment - Found this in the forums... I need to add secure="true" in our server.xml, and re-test I think this will solve the issue.
secure="true"
proxyName="jira.example.com"
proxyPort="443"
scheme="https" 
Information on configuring Jira with TLS can be found at https://confluence.atlassian.com/adminjiraserver/running-jira-applications-over-ssl-or-https-938847764.html.