Unable to access Jira on HTTP after enabling HTTPS

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

After enabling HTTPS on Jira, either directly on Jira Tomcat or using a reverse proxy, without having redirection from HTTPS to HTTP enabled, login to Jira is no longer possible on HTTP, this is noticed on all browsers.

HTTPS continues to work fine, but users are not able to login to Jira using HTTP if they had a valid login on HTTPS before in the same browser session.

Diagnosis

Environment

  • Jira running on HTTP/HTTPS without HTTP to HTTPS redirection enabled.


Diagnostic Steps

  • The way to investigate this issue is to examine the login request and verify if the browser is actually sending the correct session cookies or not.

    This can be done by checking the request and response headers in web browser developer tools, network section or by looking into a HAR file recorded for the login session.

    We need to verify the set-cookie headers in the Jira login response and the cookie header in the browser request header.

    Looking at the HTTPS headers, we can see that the login process flow is normal, Jira will send a set-cookie header for the JSESSIONID session cookie in the response to the login URL and that cookie value will be used in all subsequent requests from the browser as a cookie header:

    This is the expected behavior upon having a successful login process.
    While looking at the HTTP login scenario, we see that things are different, Jira sends the JSESISONID set-cookie header in the response to login request to set the session cookie, but the b
    rowser doesn’t send any cookie in its subsequent requests incoming to Jira:




    Thus, Jira fails to identify that the user has a valid session and then asks the user to login again sending another set-cookie with another JSESSIONID, and this pattern will go on without allowing the user to be logged in as long as the request is being sent on HTTP.


  • Another diagnostic step is to try to login to Jira on HTTP while setting the browser in private/incognito mode. If trying to login on HTTP with incognito mode works, this proves that the browser blocks the login due to the fact is has a history entry for the a session being made on HTTPS.
    The incognito mode effectively ignores all previous browser history, and is actually isolated from the history entries of the original browser, thus there is no fear in having an HTTP cookie overwriting an HTTPS cookie, this allows sending back the JSESSIONID cookie on the HTTP context, and the login with HTTP does work.

Cause

This behavior is a side effect of increased security implemented by modern browsers.

Modern browsers like newer versions of Google Chrome, Mozilla Firefox and Microsoft Edge doesn’t allow cookies be set from an HTTP context on a domain that has cookies set from HTTPS.

This is to ensure that the secure HTTPS cookies remain secure and doesn’t get overwritten or hijacked by an insecure cookie coming from an HTTP plain text context that might be compromised.

This is why the browser blocks sending the JSESSIONID cookie coming from an HTTP context since the browser remembers that it did send cookies for the same domain name on HTTPS context.

Resolution

The main resolution for this problem is to ensure that HTTP to HTTPS redirection is enabled either directly on Jira’s tomcat or on the reverse proxy doing the HTTPS offloading, this is to make sure that all login requests are made using HTTPS.

Its always better to avoid mixing HTTP and HTTPS on the same domain for security reasons.



DescriptionUnable to access Jira on HTTP after enabling HTTPS
ProductJIRA Corse
Last modified on Oct 2, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.