Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

ajs_anonymous_id & ajs_group_id cookies are Insecure Cookies?

Yougal
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
August 2, 2021

Hello team,

Our  penetration testing team report and issue stating ajs_anonymous_id and ajs_group_id are insecure cookies:

Below is the issue:

Cookies are used mostly to achieve the below

1. Session Management
2. Tracking

To secure the cookies and reduce the attack surface surrounding the cookies, attributes were introduced which are discussed below

1. Secure: This attribute tells the browser to only send the cookies over a secure HTTPS connection. 
2. HttpOnly: This attribute prevents cookies from being accessed from the client-side Javascript.
3. Expires: This attribute helps the application to set persistent cookies.
4. SameSite: This attribute is used to prevent browsers from using cookies for cross-origin requests.

 

After investigation we notices that its from jsd. Could you please confirm that are these insecure if yes we need to remove the jsd.

 

Thanks,

Yougal BISHT

Securends

1 answer

1 accepted

1 vote
Answer accepted
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 3, 2021

Hi,
I can confirm that those two cookies are not marked as secure cookies when visiting the customer portal within Jira Service Management.  I found a related support case where another customer was inquiring about those specific cookies.  The information I found indicated that those two specific cookies do not contain any sensitive data.  Which is why they do not have the secure attribute.  My initial thought was that these cookies might have been due to the portal option to allow anonymous users to visit the help center, however I found that even disabling that feature within JSM does not change the attributes of those cookies.

 

If I understand correctly, you are indicating that you want to remove Jira Service Management from your site because of these insecure cookies.  This is not something that your particular user account would be able to do.  Instead you would need to reach out to one of your site-admins to be able to remove that product if necessary.  However if this is still a problem, I would strongly recommend that you have one of your site-admins reach out to our support team over in https://support.atlassian.com/contact  Site-admins of paid cloud sites have the ability to create such technical support cases. However end users like yourself do not have that ability per our Support offerings. If your account tries to make that request it would just be redirected here to Community again.

I hope this helps.

Andy

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events