User 'A' was logged into Bitbucket Server via Crowd Authentication on Friday and left their computer running over the long weekend.
On Tuesday User 'A' went back to their computer and created a Pull Request in Bitbucket. The Pull Request was submitted as User 'B'. User 'A' then noticed their Avatar and profile were of User 'B' in Bitbucket and believes they were also the same in Confluence and Jira.
Crowd is configured for database storage and to expire tokens after 12 hours, however in this case the token did not expire, or did but User 'B' got the same token by chance and updated the expiration date when they logged in Tuesday before User 'A' did.
I checked the Crowd Session Cookie and it does not have an expiration date, it is set to to last as long as the browser session. If the browser session is left up for a long time this sounds like a problem.
Atlassian Standard Support provided only break/fix support, e.g. User 'A' logged out and logged back in again and were themselves so it is 'fixed'.
This is a much more concerning issue, this would seem to indicate that Crowd SSO is not secure enough for production use.
Anyone else seen this or have any thoughts?
...ollected feedback from users around the lack of shortcuts, and we’re here to address that: In next-gen projects, I miss the keyboard shortcuts badly. This is particularly true on the Board, but also i...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events