JIRA application cookies

This page lists cookies stored in JIRA application users' browsers which are generated by JIRA itself. This page does not list cookies that may originate from 3rd-party JIRA plugins.

On this page:

Authentication cookies

JIRA uses Seraph, an open source framework, for HTTP cookie authentication. JIRA uses two types of cookies for user authentication:

  • The JSESSIONID cookie is created by the application server and used for session tracking purposes. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed.
  • The 'remember my login' cookie (aka the 'remember me' cookie), seraph.rememberme.cookie, is generated by JIRA when the user selects the Remember my login on this computer checkbox on the login page.

(info) You can read about cookies on the Wikipedia page about HTTP cookies.

The 'remember my login' cookie

The 'remember my login' cookie, seraph.rememberme.cookie, is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. JIRA generates this cookie when the user selects the Remember my login on this computer checkbox on the login page.

Cookie key and contents

By default, the cookie key is seraph.rememberme.cookie, which is defined by the login.cookie.key parameter in the <jira-application-dir>/WEB-INF/classes/seraph-config.xml file of your JIRA installation directory.

The cookie contains a unique identifier plus a securely-generated random string (i.e. token). This token is generated by JIRA and is also stored for the user in the JIRA database.

Use of cookie for authentication

When a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, JIRA will match the 'remember my login' cookie (if present) against the token (also if present), which is stored for the user in the JIRA database.

If the token in the cookie matches the token stored in the database and the cookie has not expired, the user is authenticated.

Life of 'remember my login' cookies

You can configure the maximum age of the cookie. To do that you will need to modify the <jira-application-dir>/WEB-INF/classes/seraph-config.xml file of your JIRA installation directory and insert the following lines below the other init-param elements:

<init-param>
	<param-name>autologin.cookie.age</param-name>
	<param-value>2592000</param-value> <!-- The value of 30 days in seconds -->
</init-param>

Other JIRA cookies

There are several cookies that JIRA uses for a variety of other purposes, such as to enhance JIRA's security and to store basic presentation and browser capability states, including the type of search view that was last used and various other presentation states. JIRA users' authentication details are not stored by these cookies.

Cookie key Purpose Cookie contents Expiry
atlassian.xsrf.token

Helps prevent XSRF attacks. Ensures that during a user's session, browser requests sent to a JIRA server originated from that JIRA server. For more information about XSRF checking by JIRA, see Form Token Checking on the Atlassian Developers site.

Your JIRA server's Server ID, a securely-generated random string (i.e. token) and a flag indicating whether or not the user was logged in at the time the token was generated. At the end of every session or when the browser is closed.
jira.issue.navigator.type

Tracks which type of search view was last used (i.e. simple or advanced searching).

A string indicating the state of your last search view. Approximately 10 years from the date it is set or was last updated.
AJS.conglomerate.cookie

Tracks which general tabs were last used (e.g. in JIRA's plugin manager) or expansion elements were last opened or closed.

One or more key-value strings which indicate the states of your last general tab views or expansion elements. One year from the date it is set or was last updated.
UNSUPPORTED_BROWSER_WARNING Acknowledges that the user has read a message displayed by JIRA indicating that the user's browser is not supported by JIRA. A string which indicates that the user has clicked a button acknowledging they have read the message stating they are using an unsupported browser. At the end of every session or when the browser is closed.
AJS.thisPage Indicates that the user's browser does not support local storage. This relates to a mechanism used by JIRA to store field information in search views when the user clicks their browser's back button. A string which indicates that the user's browser does not support local storage. At the end of every session or when the browser is closed.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport