Issue collector not matching submitter user's session to make them issue reporter

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く


要約

When a logged in user tries to raise a ticket through Issue Collector, it's user session is no longer matched, which means the user needs to enter their email address while reporting feedback (corresponding to the case when a user is submitting feedback anonymously).

This is working as designed. This behaviour got changed in order to accommodate stricter SameSite cookie policy that got implemented in Chrome 80. Read on below for more details.

環境

This behaviour started to appear in one of the following or higher Jira versions: 8.7.0, 8.5.4, 8.6.2, 7.13.13.

診断

  1. Log in to Jira
  2. Utilize Issue Collector functionality to raise feedback in Jira
  3. The Issue Collector asking for email address to match Reporter field, although the user is already logged in

原因

Recently, Chrome added new cookie policy to versions 80 and higher, related to SameSite cookie settings. These changes are getting simultaneously added to other browsers, as well - all of that with purpose of improving security and avoiding Cross-Site Request Forgery attacks. More about these changes can be found on these external resource: Developers: Get Ready for New SameSite=None; Secure Cookie Settings. Moreover, these changes are getting implemented as a part of an IETF recommendation, and are getting adopted as an industry standard.

Implementing SameSite cookie controls would break Issue Collector functionality for collectors that appear on separate domains - this got addressed in scope of the following bug ticket:  JRASERVER-70494 - Getting issue details... STATUS

Part of the solution of making Issue Collectors work for Chrome 80+ users, is to drop the XSRF token check. However this is check was utilised by a certain Jira Issue Collector functionality: a particular Issue collector could be configured in such a way that a reporter of the newly created issue could be matched with the currently logged-in user.

Since Issue Collector cannot provide that functionality without XSRF token check, a trade-off has been made and this feature was removed. Issue Collector no longer uses the logged-in user session for its logic, so it is no longer possible to match the session and set the logged-in user as reporter.

This means users will need to enter their email address in the Issue Collector form.

Jira Software 8.5.4 Upgrade notes describes how the Issue Collector behaviour got changed, in order to avoid the impact of the new SameSite policy:

Chrome ブラウザの今後のアップデートでは、新しいクッキー セキュリティ機能が導入されます。それによって、別々のドメインに埋め込まれた課題コレクターが本質的に壊れます。この問題を修正しましたが、課題コレクターの動作が次のように変更されました。

  • 課題の報告者に設定するために登録者のユーザー セッションを照合できなくなります。引き続き、メール アドレスを使用して照合できます。
  • 課題コレクターを機能させるために、サード パーティの cookie を有効化する必要はありません。この要件と、それについてリマインドする一部のエラー メッセージを削除しました。
  • フィードバックを送信したあとの成功メッセージには、プロジェクトと課題キーが表示されなくなりました (プロジェクトが Web 上の全員に公開されている場合を除く)。この変更は、プロジェクトや課題に関する情報を開示せずにセキュリティを向上させるために行いました。

ソリューション

This behaviour is working as designed, as per the explanation above.

Stricter SameSite policy is getting adopted with the purpose of improving user security. Therefore, these modifications to Issue Collector functionality were done in order to make sure it can work properly, while adhering to the SameSite cookie controls in browser.

(info) Please vote for the following feature request if you would like the removed functionality back in Jira:  JRASERVER-71186 - Getting issue details... STATUS

その他

References for further reading:

説明 Issue collector not matching submitter user's session to make them issue reporter
製品Jira
最終更新日 2020 年 11 月 23 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.