Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-8974

Restrict cookie-based login to SSL users

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Won't Fix
    • None
    • None
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      If someone is snooping HTTP requests and gets hold of your JIRA cookie, this is just as good as a username:password combination - they can log into JIRA as you with it. So in security-conscious installations, cookies over HTTP is not a good idea.

      Cookies can have an SSL bit set, which means the browser won't send them to a website unless SSL is used. We should add an admin option to JIRA to use this bit, and only allow SSL-protected users to store a cookie logging them in.

      Attachments

        Issue Links

          relates to

          Suggestion - JRACLOUD-8974 Restrict cookie-based login to SSL users

          • Closed

          Suggestion - JRASERVER-7250 Support for redirecting from HTTPS to HTTP

          • Closed

          Activity

            People

              Unassigned Unassigned
              7ee5c68a815f Jeff Turner
              Votes:
              4 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: