Bitbucket Server session does not expire after the configured timeout
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
The value specified in the <session-timeout>
setting, in web.xml
, is not respected and the user is never logged out.
Causes
There are several causes that can lead to this behavior.
- The login screen might have the "remember me" checkbox marked.
- If using clustering, each node has it's own
web.xml
and changes may not be in sync. - The load balancer has session affinity enabled
- The user may be active the entire time which will cause them to not be logged out.
Bitbucket Server 5.0
Starting with Bitbucket Server 5.0+, the configuration in web.xml
is no longer used and all settings are read from <BitbucketHome>/shared/bitbucket.properties
.
Setting server.session.timeout=1800
in bitbucket.properties
will adjust the default session timeout. This value is set in seconds. See Configuration properties for more information.
To set Bitbucket's session cookies to also expire when the browser closes, it's recommended to set server.session.cookie.max-age=-1
in your bitbucket.properties
file.
Resolutions
- Verify that the "remember me" checkbox is not marked before logging in. Unless the "remember me" checkbox is disabled, which is very unlikely, the "remember me" token exists, and this means that the session does timeout, but then a new session is transparently created.
- Please ensure that the value configured for the
<session-timeout>
setting is consistent in theweb.xml
from each node. - Each load balancer has its own session affinity configuration, but here are useful links for F5 load balancer, HAProxy and Microsoft Azure, as these are the most common.
- By inactive, we mean not using Bitbucket Server at all. From Bitbucket Server 4.10.x onwards, the dashboard makes periodic REST requests to the server to refresh itself, which resets the session timeout, so please make sure that the user does not have any web browser tabs with Bitbucket Server dashboard page open as well.