Responses with Set-Cookie header cached

Context

We have Jira running with SSO from Crowd. Jira is behind a corporate reverse proxy (from BlueCoat) which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers.

Problem

We have discovered following cases of sessions mix up where a user [1] get the Crowd token cookie value from another user [2] and then user [1] can make actions in Jira as if logged in with user [2] credentials.

Details

After some investigation, we discovered that Jira, if

1. a user with no Jira session
2. with a valid Crowd session
3. tries to get some Jira pages
4. will get Jira responses which have:

• no Cache-Control headers
• have Set-Cookie: crowd.token_key headers

This behavior is dangerous as some Jira resources can be cached by the upstream reverse proxy with Set-Cookie headers; and they can be served as cached data to other users.

Workaround

On the reverse proxy, disabling caching completely or selectively on responses containing Set-Cookie headers

Real fix

Jira setting Cache-Control header whenever Jira sends Set-Cookie headers

Same as BSERV-8483, CONF-40945, BAM-17294