Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-44207

atl_token appended to request URL

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Problem Definition

      In a few aspects of JIRA e.g. User Profile menu (my JIRA home, logout menu items), the atl_token is appended to the URL and propagated using GET method.

      Sensitive information such as token will travel as part of URL when using GET. This information will be stored in browser cache and server logs. This information will be available for unauthorized disclosure through various methods such as shoulder surfing, shared machines or accessing server logs. Additionally, URLs information can get leaked out using referrer header when an external link is accessed via the application.

      Suggested Solution

      POST method can be used instead, since it doesn't store the token as part of the URL and perhaps appears to expose less.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. JRACLOUD-61250 JIRA puts a user's XSRF token in various resources.

          • Low - Low priority issues
          • Closed
          is related to

          Suggestion - JRASERVER-44207 atl_token appended to request URL

          • Gathering Interest
          relates to

          Bug - A problem which impairs or prevents the functions of the product. JRACLOUD-67167 JIRA includes the Username in links on the edit profile page

          • Low - Low priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              takindele Taiwo Akindele (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: