-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.4.11
-
6.04
-
5
-
Severity 3 - Minor
-
Context
We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy (from BlueCoat) which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers.
Problem
We have discovered following cases of sessions mix up where a user [1] get the Crowd token cookie value from another user [2] and then user [1] can make actions in Jira as if logged in with user [2] credentials.
Details
After some investigation, we discovered that Jira, if
- a user with no Jira session
- with a valid Crowd session
- tries to get some Jira pages
- will get Jira responses which have:
- no Cache-Control headers
- have Set-Cookie: crowd.token_key headers
This behavior is dangerous as some Jira resources can be cached by the upstream reverse proxy with Set-Cookie headers; and they can be served as cached data to other users.
Workaround
On the reverse proxy, disabling caching completely or selectively on responses containing Set-Cookie headers
Real fix
Jira setting Cache-Control header whenever Jira sends Set-Cookie headers
Same as BSERV-8483, CONF-40945, BAM-17294
- relates to
-
CONFSERVER-40945 Responses with Set-Cookie header cached
- Closed
-
BDEV-11672 Loading...