Improve Jira Data Center platform behavior for SSO session expiration by refreshing XSRF tokens on re-login

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • None
    • Component/s: Login
    • None
    • 1

      Problem

      In Jira Data Center with SSO configured:

      The XSRF token is tied to the Jira web session.

      When the Jira session expires (via normal timeout, Bot Session Killer, node change, etc.), but the user’s IdP session is still valid, the user may:

      • Be transparently re-authenticated via SSO, or
      • Be redirected through the IdP and then back to Jira.

      If the user submits a form after the Jira session has expired (e.g., create/edit issue, transition, comment, bulk change), Jira often responds with:

      “XSRF Security Token Missing or session expiring in Jira Data Center”

      The user then has to re-perform the operation, and may lose all form data. This is particularly painful for:

      • Long issue forms (custom fields, descriptions, attachments),
      • Bulk operations,
      • Administrative screens with many fields.

      Current guidance (session timeout tuning, LB stickiness, disabling Bot Session Killer, relaxing checks via dark features) helps reduce frequency, but does not address the platform behavior or user experience once the situation occurs.

      Requested Platform Behavior

      When Jira DC detects an invalid/expired XSRF token for a POST, and the user is (re)authenticated via SSO:

      1. Detect the SSO re-auth / new session
        • Identify that the user has just established a new authenticated Jira session via SSO for this browser.
      2. Refresh XSRF token at the platform level
        • Issue a new XSRF token bound to the newly created Jira session (and other relevant factors) as part of the re-auth flow.
      3. Gracefully handle the in-flight POST
        • Instead of immediately rendering the “XSRF Security Token Missing…” error page:
          • Either:
            • Accept the original POST and complete the operation using the newly issued token, or
            • Redirect to a confirmation page where:
              • The form data is preserved (pre-populated),
              • The user is clearly informed: “Your session expired and you were re-authenticated via SSO. Please review and confirm to complete this action.”

      Acceptance Criteria (Platform-Level)

      1. With Jira DC + SSO configured, if a user’s Jira session expires while filling out an issue create/edit form:
        • On submit, the user is silently or explicitly re-authenticated via SSO, and
        • The operation either completes, or the form is re-rendered with data intact and a clear message, rather than an “XSRF Security Token Missing…” error page.
      2. The same applies to:
        • Issue transitions,
        • Comments,
        • Bulk change flows,
        • Common administrative forms.
      3. XSRF protections remain enabled and enforced; only the handling of the expired/session-mismatched token + SSO re-auth path is changed.

              Assignee:
              Unassigned
              Reporter:
              Jeff Curry
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: