Open Session becomes available on all previous browsers

When I log-in on JIRA on the browser on my computer, the session is open/available on the browser on another computer I opened a session before. Even dough I closed the session on the other browser. In other words, when I open the session on my computer, it gest available again on the other computer.

We see this as a big security issue.

3 answers

1 accepted

0 votes
Accepted answer

I found the answer after testing different options.

There are two steps in the log out process.

1. Log out link.

2. Confirm Log-out. (see screenshot) if we do not confirm it. the session still is alive. If we press the Log out button, it closes the session of the accounts on Jira (this means we have to log-in again from the other computers too). In conclusion it is only one open session on JIRA (Log-out affects all the computer browswers that have a session open)

0 votes

Hmm. I'm not sure that's correct behaviour. I'd expect Jira to be thinking "user has logged in" and know that you're active, but I agree with you that it probably shouldn't be remembering you on different computers like that.

But I'm also not sure it's a real security issue. If you are using computer A, then move to B, then you should have locked or shut down A. If you are leaving sessions running on a computer other people can get access to, then your physical security is already compromised...

I'm really not sure that it is - no-one should have access to a locked computer, and that's actually how SSO works - you're logged in, so you should be able to use the system. Doesn't matter where it's from.

The issue I see is "the session was open autmatically" - what's automatically opening? It's logged in, yes, but what's "open"?

I did not leave a session open on computer B (I logged-out), but when I open my session again on my computer A, automatically on computer B the session is open. It really surprised me when I saw this behavior. I spent some time testing and I was able to reproduce the issue.

Steps.

1. Log-in computer A

2. Log-in computer B

3. Log-out computer B

4. go to computer A..(this is another issue but do not pay attention to it. We can suvive with it.. It logged me out on A too). Log-in again.

5. Go to computer B. The session was open automatically)

6. the end.

This is a security issue,

I do not think that was quite my question.

Let me rephrase my question:

Steps:

1. I log-on on JIRA From the browser on my workstation.

2. I log-on on JIRA from the browser on the computer in the conference room.

3. I log-out on JIRA from the browswer on the computer in the conference room.

4. I go back to my workstation and session is closed.

5. I re-login on JIRA from the browser on my workstation.

6. Someone else on the computer in the conference room opens up the browser and my JIRA Account is open.

7. How do I prevent having my account open on the conference room after I logged-out.

8. Is this a normal workflow on JIRA?

Try clearing the cookie cache on the conference room browser after logging out. If you have remember the last login set, then going to a Jira page will open things up again.

I am bit confused about step 6 since in step 3 you should have logged out and closed down the browser. Opening up the browser in step 6 should bring you to the default browser page unless that is Jira.

I could see this type of behavior could be normal with cookies enabled or/and with single sign on (SSO). I am not saying that it is correct or incorrect behavior, just I can see it happening.

Ok. Thanks. I'll try to do it.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,711 views 17 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you