Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.3.9, 7.1.1
-
6.03
-
32
-
Severity 3 - Minor
-
1
-
Description
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.
Steps to Reproduce:
- Log into JIRA
- Log out from JIRA
Expected Results:
- The URL shown in the address bar does not show the atl_token value
Actual Results:
- The URL shown in the address bar shows the atl_token value
Impact
After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, we should probably not have tokens visible in the URL
Attachments
Issue Links
- relates to
-
CONFSERVER-42736 Forms that use the GET method cause the XSRF token to be added to the URL
- Closed
-
JRACLOUD-61250 JIRA puts a user's XSRF token in various resources.
- Closed
-
JRASERVER-44207 atl_token appended to request URL
- Gathering Interest
- has action
-
RM-11289 Loading...
(4 mentioned in)