Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-61250

JIRA puts a user's XSRF token in various resources.

    XMLWordPrintable

Details

    Description

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      Steps to Reproduce:
      1. Log into JIRA
      2. Log out from JIRA
      Expected Results:
      • The URL shown in the address bar does not show the atl_token value
      Actual Results:
      • The URL shown in the address bar shows the atl_token value
      Impact

      After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, we should probably not have tokens visible in the URL

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-42736 Forms that use the GET method cause the XSRF token to be added to the URL

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRACLOUD-61250 JIRA puts a user's XSRF token in various resources.

          • Low - Low priority issues
          • Closed

          Suggestion - JRASERVER-44207 atl_token appended to request URL

          • Gathering Interest
          has action

          RM-11289 Loading...

          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              dnorton@atlassian.com Dave Norton
              Votes:
              11 Vote for this issue
              Watchers:
              27 Start watching this issue

              Dates

                Created:
                Updated: