Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira session gets instantly destroyed

Connect
Connect February 5, 2025

We recently upgraded from Jira 9.12.15 LTS to Jira Data Center 10.3.2 and immediately noticed some issues which did not happen previous to the upgrade.

 

We are running a few tests that require basic authentication through the rest api.

After authenticating for the first time, we are storing locally the cookie with the JSESSION and the xsrf token.

 

When trying to make new requests with that cookie, we get response code 401 Unauthorized.

 

Upon checking the logs of the jira instance we noticed that in the span of a few milliseconds, the session is destroyed, hence why we get Unauthorized on the next request.

 

It's worth noting that previous to this upgrade, this mechanism was working perfectly fine, nothing has changed with it in a very long time.

 

Answer
Watch
Like Be the first to like this
236 views

1 answer

1 accepted

1 vote
Answer accepted
David Bakkers
David Bakkers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 5, 2025

I think this was part of the improvement to the security of v10.2

AFAIK, to prevent potential session hijacking, the ability to generate permanent user Session Cookies by triggering a Basic auth session inside a web browser has been removed. You must now use the method of providing the user's encoded key+token credentials with every single request, which is really the proper implementation of Basic auth.

Also, because a Basic auth connection inside a web browser is not a two step authentication method, that would contradict the corresponding enforceable login security policy feature introduced in v10.2.

View More Comments
Connect
Connect February 10, 2025

Thanks a lot for the tip @David Bakkers . Looks like I missed that particular change in the changelog. In case someone else gets blocked by this, -Datlassian.authentication.legacy.mode=true switches back the authentication to the old behavior.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
10.3.2
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.