atl_token appended to request URL

XMLWordPrintable

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Problem Definition

      In a few aspects of JIRA e.g. User Profile menu (my JIRA home, logout menu items), the atl_token is appended to the URL and propagated using GET method.

      Sensitive information such as token will travel as part of URL when using GET. This information will be stored in browser cache and server logs. This information will be available for unauthorized disclosure through various methods such as shoulder surfing, shared machines or accessing server logs. Additionally, URLs information can get leaked out using referrer header when an external link is accessed via the application.

      Suggested Solution

      POST method can be used instead, since it doesn't store the token as part of the URL and perhaps appears to expose less.

            Assignee:
            Unassigned
            Reporter:
            Taiwo Akindele (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: