Dear Maintainer,
The Jenkins currently shipped with Debian doesn't correctly set the HttpOnly and
Secure options on session cookies.
The first option prohibits the cookies to be read by scripts, thus preventing
XSS scripts vulnerabilities from stealing sessions.
The second option prohibits the session cookie to be sent over clear HTTP connection,
thus preventing malvolent users to steal session cookie while redirecting users to
HTTP access.
There is already an upstream bug for this problem located at this url:
https://issues.jenkins-ci.org/browse/JENKINS-25019
with a proposed fix that only adresses the HttpOnly issue for Tomcat.
The problem is reported in Tomcat log with the following lines:
WARNING: Failed to set secure cookie flag
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at jenkins.model.JenkinsLocationConfiguration.updateSecureSessionFlag(JenkinsLocationConfiguration.java:123)
at jenkins.model.JenkinsLocationConfiguration.load(JenkinsLocationConfiguration.java:71)
at jenkins.model.JenkinsLocationConfiguration.<init>(JenkinsLocationConfiguration.java:46)
at jenkins.model.JenkinsLocationConfiguration$$FastClassByGuice$$a6785528.newInstance(<generated>)
at net.sf.cglib.reflect.FastConstructor.newInstance(FastConstructor.java:40)
at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61)
at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:429)
[...]
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: Property HttpOnly can not be added to SessionCookieConfig for context /jenkins as the context has been initialised
at org.apache.catalina.core.ApplicationSessionCookieConfig.setHttpOnly(ApplicationSessionCookieConfig.java:107)
... 90 more
Thanks in advance for your help on this issue.
Yann Rouillard