Bitbucket Server session does not expire after the configured timeout

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

The value specified in the <session-timeout> setting, in web.xml, is not respected and the user is never logged out.

Causes

There are several causes that can lead to this behavior.

  1. The login screen might have the "remember me" checkbox marked.
  2. If using clustering, each node has it's own web.xml and changes may not be in sync.
  3. The load balancer has session affinity enabled
  4. The user may be active the entire time which will cause them to not be logged out.

Bitbucket Server 5.0

Starting with Bitbucket Server 5.0+, the configuration in web.xml is no longer used and all settings are read from <BitbucketHome>/shared/bitbucket.properties.

Setting server.session.timeout=1800 in bitbucket.properties will adjust the default session timeout. This value is set in seconds. See Configuration properties for more information.

To set Bitbucket's session cookies to also expire when the browser closes, it's recommended to set server.session.cookie.max-age=-1 in your bitbucket.properties file.

Resolutions

  1. Verify that the "remember me" checkbox is not marked before logging in. Unless the "remember me" checkbox is disabled, which is very unlikely, the "remember me" token exists, and this means that the session does timeout, but then a new session is transparently created.
  2. Please ensure that the value configured for the <session-timeout> setting is consistent in the web.xml from each node.
  3. Each load balancer has its own session affinity configuration, but here are useful links for F5 load balancer, HAProxy and Microsoft Azure, as these are the most common.
  4. By inactive, we mean not using Bitbucket Server at all. From Bitbucket Server 4.10.x onwards, the dashboard makes periodic REST requests to the server to refresh itself, which resets the session timeout, so please make sure that the user does not have any web browser tabs with Bitbucket Server dashboard page open as well.


Last modified on Jul 11, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.