...
What's happening is as follows. When you are actively using Jira, the Jira server keeps a 'session' for you, which is just a handful of key:value pairs. You can see Incidentally, if you are a Jira administator you can see your session's attributes by dropping sessionattributes.jsp into your atlassian-jira/secure/ directory, and hitting the /secure/sessionattribute.jsp URL:
The session attribute we care about here is atlassian.xsrf.token. An XSRF token is a secret bit of text known only to the Jira server and your browser. In your browser you can see the same XSRF token in a cookie by clicking on the padlock icon to the left of the URL:
Your browser must include the XSRF token with every request, usually as a cookie. If a request comes without a matching XSRF token, Jira will assume that the request did not come from a trusted source, and will respond with an error.
This XSRF token stays the same for the duration of your session, which is 5 hours by default (5h = 18000 minutes in the Max Inactive Interval session attribute). After 5 hours of inactivity, or if you log out and back in again, you get a new session and a new XSRF token.
The XSRF token is stored as a cookie, but unfortunately, for some broken
