Is it secure to store user private data using AP.cookie?

javascript
jira-cloud
atlassian-connect

#1

Hi,

We want to use AP.cookie method from JS API (https://developer.atlassian.com/cloud/confluence/jsapi/cookie/) and for us, it means that user data will be transferred to Atlassian servers on each request. Is it secure to store private user data using AP.cookie? Do Atlassian use cookies to store private data by themselves?


#2

What kind of data are you storing? If it’s user preference, account if type of thing - I can think Atlassian would have an issue (but I’m not Atlassian) however if you’re storing pii or sensitive info - cookies are stored as plain text on the browser side (or can be) so its probably not advisable.


#3

We plan to store user access credentials and it is a kind of sensitive info, but cookie could be considered as a secure storage because of browser-level isolation. In our case it is ok if a user will access its own access credentials.

The main issue with AP.cookie is that all cookies will be transferred to Atlassian host on every call and we don’t know whether Atlassian itself store any sensitive info in their cookies.


#4

Hi @nnmatveev,

AFAIK, AP.cookie is considered “secure” as we enforce it over HTTPS. We make use of cookies as well as discussed here and here. In relation to GDPR or Atlassian storing the cookies, I was informed that there would be no issue, i.e. if some of the cookies you send us contain PD, because we don’t actually store these.

Cheers,
Anne Calantog