Enforcing 2FA on Session Hijacking with JSESSIONID

Jira Development Jira Data Center
, , , ,
1

Problem :
In Jira, when a user logs in successfully, a session is created, and a JSESSIONID cookie is set. However, if a user copies this JSESSIONID cookie and pastes it into another browser or device, the session remains valid, and no re-authentication is prompted. This creates a security concern, as the session can be hijacked by transferring the JSESSIONID cookie to a different device or browser.

Objective:
We aim to enforce 2FA on every session access, even if the JSESSIONID cookie is transferred to another browser or device. Specifically, we want to trigger the 2FA process again if the JSESSIONID is used outside the original device or browser.

Few Questions:

1). Are there any Atlassian-specific APIs or configurations that can help tie a session to a specific device or browser?

2). What strategies can be used to prevent session hijacking and force 2FA validation if a session is reused across different contexts (e.g., device, IP address, User-Agent)?

Any insights or solutions would be greatly appreciated!

2

Solved!

3

Are you able to provide a detailed overview of the method you used to solve the problem?

This provides others with an opportunity to apply your method if they have a similar problem and they find this thread

1 Like
4

Naive Solution - Better than not having one

Step 1. Storing Unique Session Attributes

To prevent unauthorized session reuse, we extend the session to store additional attributes that uniquely identify the user’s device and browser. These attributes will be checked every time a request is made.

  • Device & Browser Fingerprinting:
    • When a session is created, we extract and store browser-related details such as the User-Agent string and other fingerprinting data.
    • We also capture the IP address to track the user’s network.
    • This data is stored in the session when the user logs in.

Step 2. Validating Session on Each Request

Every time a user makes a request, we perform the following validation:

  1. Extract Request Details:
    Retrieve the User-Agent and IP Address from the incoming request.
  2. Compare with Stored Session Attributes:
    Check if the current request’s User-Agent and IP Address match the stored session values.
  3. Action Based on the Validation Result:
    If the values match, allow access as usual.
    If not, prompt the user to verify their identity using 2FA before continuing.

I’m still exploring a more secure way to implement this.
Open to brainstorming ideas—any suggestions are welcome!

Thank you!