Downloads (PDF, HTML & XML formats)
JIRA Knowledge Base
JIRA 6.2 – This documentation is for the downloadable version of JIRA 6.2.
Not using this? See the JIRA OnDemand documentation or earlier versions of the documentation.
Please refer to the Form Token Handling documentation on our developer documentation site for more information about how this feature is implemented in JIRA.
This page really wants an explanation or link to information about the impact of this change. What advantages does form token checking provide such that I would want it enabled? Currently as far as I'm concerned its just annoying and this page bolsters that conclusion. It should at least link to http://confluence.atlassian.com/display/JIRA/Form+Token+Handling which I found through Google.
I would agree with this comment. The default setting generates "you've been timed out" type errors, and searching for this just leads to this page that essentially says,"here's how you turn it off".
On the basis that Atlassian had a reason for the default setting, I'm nervous about changing it without understanding what the consequence is. And other than the earlier commenter's link there is no explanation.
I completely agree with Chris, and unfortunately the link in the first comment is now disabled...
I understand that by disabling it would opens Jira to XSRF attacks, which are unlikely but...
Apologies everyone for the delay. As requested and quite rightly so, a link has been added to the Form Token Handling documentation.
To disable form token checking in JIRA 6.1.x, edit the jira.xsrf.enabled value in the jpm.xml file located in atlassian-jira/WEB-INF/classes. This would be unwise for a publicly-available site. For those who only run JIRA on internal networks, the risk of not blocking possible cross-site scripting is less, while the security advantage for staff browsers in disabling cookies should also be weighed.
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.