Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-44207

atl_token appended to request URL

    XMLWordPrintable

Details

    • 3
    • 6
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Problem Definition

      In a few aspects of JIRA e.g. User Profile menu (my JIRA home, logout menu items), the atl_token is appended to the URL and propagated using GET method.

      Sensitive information such as token will travel as part of URL when using GET. This information will be stored in browser cache and server logs. This information will be available for unauthorized disclosure through various methods such as shoulder surfing, shared machines or accessing server logs. Additionally, URLs information can get leaked out using referrer header when an external link is accessed via the application.

      Suggested Solution

      POST method can be used instead, since it doesn't store the token as part of the URL and perhaps appears to expose less.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-61250 JIRA puts a user's XSRF token in various resources.

          • Low - Low priority issues
          • Gathering Impact
          relates to

          Suggestion - JRACLOUD-44207 atl_token appended to request URL

          • Closed

          Activity

            People

              Unassigned Unassigned
              takindele Taiwo Akindele (Inactive)
              Votes:
              17 Vote for this issue
              Watchers:
              25 Start watching this issue

              Dates

                Created:
                Updated: