Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

ajs_anonymous_id & ajs_group_id cookies are Insecure Cookies?

Yougal
Yougal
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 2, 2021

Hello team,

Our  penetration testing team report and issue stating ajs_anonymous_id and ajs_group_id are insecure cookies:

Below is the issue:

Cookies are used mostly to achieve the below

1. Session Management
2. Tracking

To secure the cookies and reduce the attack surface surrounding the cookies, attributes were introduced which are discussed below

1. Secure: This attribute tells the browser to only send the cookies over a secure HTTPS connection. 
2. HttpOnly: This attribute prevents cookies from being accessed from the client-side Javascript.
3. Expires: This attribute helps the application to set persistent cookies.
4. SameSite: This attribute is used to prevent browsers from using cookies for cross-origin requests.

 

After investigation we notices that its from jsd. Could you please confirm that are these insecure if yes we need to remove the jsd.

 

Thanks,

Yougal BISHT

Securends

Answer
Watch
Like Be the first to like this
3910 views

1 answer

1 accepted

1 vote
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 3, 2021

Hi,
I can confirm that those two cookies are not marked as secure cookies when visiting the customer portal within Jira Service Management.  I found a related support case where another customer was inquiring about those specific cookies.  The information I found indicated that those two specific cookies do not contain any sensitive data.  Which is why they do not have the secure attribute.  My initial thought was that these cookies might have been due to the portal option to allow anonymous users to visit the help center, however I found that even disabling that feature within JSM does not change the attributes of those cookies.

 

If I understand correctly, you are indicating that you want to remove Jira Service Management from your site because of these insecure cookies.  This is not something that your particular user account would be able to do.  Instead you would need to reach out to one of your site-admins to be able to remove that product if necessary.  However if this is still a problem, I would strongly recommend that you have one of your site-admins reach out to our support team over in https://support.atlassian.com/contact  Site-admins of paid cloud sites have the ability to create such technical support cases. However end users like yourself do not have that ability per our Support offerings. If your account tries to make that request it would just be redirected here to Community again.

I hope this helps.

Andy

Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security