Steal the creds by doing what, though? Most attacks could get their password even if it wasn't in the cookie.

And password managers have been plenty well known for a long time.

How do you get the password if it's not in the cookie? When it's in the cookies, any 3rd party script can swipe it.

A third party script that's embedded into the task management website? Otherwise I don't see how it's going to get to the cookie. And if it is embedded into the website, it can force a fresh login and steal the cookie that way.

And you can set HttpOnly to stop javascript from being able to access the cookie... but that still won't stop the attack of making them log in again.

The threat model I imagined here was:

1. Initial access to physical machine, most likely via phishing malware, reckless employees downloading untrusted content, or bad luck.

2. Malware looks for browser cookies, hoping to steal temporary credentials but instead gains persistent creds, which grant Jira access. People re-use passwords; malware tries this password against AdUser and any other systems or other corp user accounts it can find

3. Direct Jira access used to pivot, that custom Jira app is probed for app vulns (likely given design).

So with a better system the malware has to wait an extra couple hours to get the password (by dropping the non-password authentication cookie and making the user log in again), and it can still prod Jira in the meantime. That doesn't strike me as a very big difference. It's an improvement in security but not a big one.

More likely:

1. Get e-mail from boss, look at headers, find boss IP addy

2. Failing that, memorize boss office number or workstation tag, run stealthy network scan, do reverse dns lookup

3. Be a router, arp spoof mitm attack

4. ?????

5. Profit