Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
3
-
6
-
Description
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Problem Definition
In a few aspects of JIRA e.g. User Profile menu (my JIRA home, logout menu items), the atl_token is appended to the URL and propagated using GET method.
Sensitive information such as token will travel as part of URL when using GET. This information will be stored in browser cache and server logs. This information will be available for unauthorized disclosure through various methods such as shoulder surfing, shared machines or accessing server logs. Additionally, URLs information can get leaked out using referrer header when an external link is accessed via the application.
Suggested Solution
POST method can be used instead, since it doesn't store the token as part of the URL and perhaps appears to expose less.
Attachments
Issue Links
- is related to
-
JRASERVER-61250 JIRA puts a user's XSRF token in various resources.
- Gathering Impact
- relates to
-
JRACLOUD-44207 atl_token appended to request URL
- Closed