-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
Low
-
Component/s: Infrastructure & Services
-
2
-
Severity 3 - Minor
NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.
Steps to Reproduce:
- Log into JIRA
- Log out from JIRA
Expected Results:
- The URL shown in the address bar does not show the atl_token value
Actual Results:
- The URL shown in the address bar shows the atl_token value
Impact
After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, if there are other resources where atl_token is used as a request parameter and a resource from an external resource is included then the referrer header will leak the token (in the request to the external resource).
- is duplicated by
-
JRACLOUD-44207 atl_token appended to request URL
- Closed