Jira application cookies
Authentication cookies
Jira uses Seraph, an open source framework, for HTTP cookie authentication. Jira uses two types of cookies for user authentication:
- The JSESSIONID cookie is created by the application server and used for session tracking purposes. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed.
- The 'remember my login' cookie (aka the 'remember me' cookie),
seraph.rememberme.cookie
, is generated by Jira when the user selects the Remember my login on this computer checkbox on the login page.
You can read about cookies on the Wikipedia page about HTTP cookies.
The 'remember my login' cookie
The 'remember my login' cookie, seraph.rememberme.cookie
, is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. Jira generates this cookie when the user selects the Remember my login on this computer checkbox on the login page.
Cookie key and contents
By default, the cookie key is seraph.rememberme.cookie
, which is defined by the login.cookie.key
parameter in the <jira-application-dir>/WEB-INF/classes/seraph-config.xml
file of your Jira installation directory.
The cookie contains a unique identifier plus a securely-generated random string (i.e. token). This token is generated by Jira and is also stored for the user in the Jira database.
Use of cookie for authentication
When a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, Jira will match the 'remember my login' cookie (if present) against the token (also if present), which is stored for the user in the Jira database.
If the token in the cookie matches the token stored in the database and the cookie has not expired, the user is authenticated.
Life of 'remember my login' cookies
You can configure the maximum age of the cookie. To do that you will need to modify the <jira-application-dir>/WEB-INF/classes/seraph-config.xml
file of your Jira installation directory and insert the following lines below the other init-param
elements:
<init-param>
<param-name>autologin.cookie.age</param-name>
<param-value>2147483</param-value> <!-- The value of ~25 days in seconds -->
</init-param>
Maximum value
The value provided in the code snippet above is the maximum you can use for the 'remember my login' cookies. Anything higher will result in errors. See this bug
Other Jira cookies
There are several cookies that Jira uses for a variety of other purposes, such as to enhance Jira's security and to store basic presentation and browser capability states, including the type of search view that was last used and various other presentation states. Jira users' authentication details are not stored by these cookies.
Cookie key | Purpose | Cookie contents | Expiry |
atlassian.xsrf.token | Helps prevent XSRF attacks. Ensures that during a user's session, browser requests sent to a Jira server originated from that Jira server. For more information about XSRF checking by Jira, see Form Token Checking on the Atlassian Developers site. | Your Jira server's Server ID, a securely-generated random string (i.e. token) and a flag indicating whether or not the user was logged in at the time the token was generated. | At the end of every session or when the browser is closed. |
jira.issue.navigator.type | Tracks which type of search view was last used (i.e. simple or advanced searching). | A string indicating the state of your last search view. | Approximately 10 years from the date it is set or was last updated. |
AJS.conglomerate.cookie | Tracks which general tabs were last used (e.g. in Jira's plugin manager) or expansion elements were last opened or closed. | One or more key-value strings which indicate the states of your last general tab views or expansion elements. | One year from the date it is set or was last updated. |
UNSUPPORTED_BROWSER_WARNING | Acknowledges that the user has read a message displayed by Jira indicating that the user's browser is not supported by Jira. | A string which indicates that the user has clicked a button acknowledging they have read the message stating they are using an unsupported browser. | At the end of every session or when the browser is closed. |
AJS.thisPage | Indicates that the user's browser does not support local storage. This relates to a mechanism used by Jira to store field information in search views when the user clicks their browser's back button. | A string which indicates that the user's browser does not support local storage. | At the end of every session or when the browser is closed. |