Problem :
In Jira, when a user logs in successfully, a session is created, and a JSESSIONID cookie is set. However, if a user copies this JSESSIONID cookie and pastes it into another browser or device, the session remains valid, and no re-authentication is prompted. This creates a security concern, as the session can be hijacked by transferring the JSESSIONID cookie to a different device or browser.
Objective:
We aim to enforce 2FA on every session access, even if the JSESSIONID cookie is transferred to another browser or device. Specifically, we want to trigger the 2FA process again if the JSESSIONID is used outside the original device or browser.
Few Questions:
1). Are there any Atlassian-specific APIs or configurations that can help tie a session to a specific device or browser?
2). What strategies can be used to prevent session hijacking and force 2FA validation if a session is reused across different contexts (e.g., device, IP address, User-Agent)?
Any insights or solutions would be greatly appreciated!