This documentation relates to an earlier version of Bamboo.
View

Unknown macro: {spacejump}

or visit the current documentation home.

Bamboo Standalone distributions from version 2.5.5 now enforce the HttpOnly flag on session ID cookies by default, as a means to minimise the risk of common XSS attacks. For more information about this feature, please refer to the Bamboo Security Advisory 2010-05-04.

If you are running the Bamboo EAR-WAR distribution on Tomcat (or another application server that is unsupported), it is likely that Bamboo's session ID cookies will not be transmitted with the HttpOnly flag. Hence, to mitigate the risk of common XSS attacks, we recommend that you configure your application server to transmit HttpOnly session ID cookies.

Configuring Tomcat to use HttpOnly Session ID Cookies

To configure your Bamboo EAR-WAR distribution running on Tomcat to use HttpOnly Session ID Cookies:

  1. Shutdown the Bamboo service running on Tomcat and the Tomcat application server.
  2. Open the context.xml file of the Tomcat installation running Bamboo in a text editor.
    (info) This file is typically located in the conf subdirectory of the main Tomcat installation directory.
  3. Add the following Manager element within the Context element of this file: 
    ...
<Context>
  ...
  <Manager useHttpOnly="true"/>
  ...
</Context>
...
    (info) To disable HttpOnly Session ID cookies, either remove this Manager element or change the value of its useHttpOnly parameter to false.
  4. Save your changes to the context.xml file and restart Bamboo.
  • No labels



Log a request with our support team.



Raise an issue for our developers.



See answers from the community.



Blog and update our documentation.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.