Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-8974

Restrict cookie-based login to SSL users

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      If someone is snooping HTTP requests and gets hold of your JIRA cookie, this is just as good as a username:password combination - they can log into JIRA as you with it. So in security-conscious installations, cookies over HTTP is not a good idea.

      Cookies can have an SSL bit set, which means the browser won't send them to a website unless SSL is used. We should add an admin option to JIRA to use this bit, and only allow SSL-protected users to store a cookie logging them in.

            Unassigned Unassigned
            7ee5c68a815f Jeff Turner
            Votes:
            4 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: