Confluence Cookies
This page lists cookies stored in Confluence users' browsers which are generated by Confluence itself. This page does not list cookies that may originate from 3rd-party Confluence plugins.
Authentication cookies
Confluence uses Seraph, an open source framework, for HTTP cookie authentication. Confluence uses two types of cookies for user authentication:
- The JSESSIONID cookie is created by the application server and used for session tracking purposes. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed. This cookie is ignored when Confluence is clustered.
- The 'remember me' cookie,
seraph.confluence, is generated by Confluence when the user selects the Remember me check box on the login page. Remember me is enforced by default when Confluence is clustered.
You can read about cookies on the Wikipedia page about HTTP cookies.
On this page:
The 'remember me' cookie
The 'remember me' cookie, seraph.confluence, is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. Confluence generates this cookie when the user selects the Remember me check box on the login page.
The default time to live of this cookie is two weeks.
When running Confluence in a cluster, Remember me is enabled by default to allow users to move seamlessly between nodes. See How to configure the 'Remember Me' feature in Confluence if you need to configure this.
Cookie key and contents
By default, the cookie key is seraph.confluence, which is defined by the login.cookie.key parameter in the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file.
The cookie contains a unique identifier plus a securely-generated random string (i.e. token). This token is generated by Confluence and is also stored for the user in the Confluence database.
Use of cookie for authentication
When a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, Confluence will match the 'remember me' cookie (if present) against the token (also if present), which is stored for the user in the Confluence database.
If the token in the cookie matches the token stored in the database and the cookie has not expired, the user is authenticated.
Life of 'remember me' cookies
You can configure the maximum age of the cookie. To do that you will need to modify the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file and insert the following lines below the other init-param elements:
<init-param>
<param-name>autologin.cookie.age</param-name>
<param-value>259200</param-value><!-- 3 days in seconds -->
</init-param>Automatic cleanup of 'remember me' tokens
Every cookie issued by Confluence has a corresponding record in the database. A scheduled job runs on the 20th of every month to clean up expired tokens. The name of the trigger is clearExpiredRememberMeTokensTrigger.
Note: The only purpose of this job is to prevent the database table from growing too big. For authentication purposes, Confluence will ignore expired tokens even if they still exist in the database.
Is it possible to disable the 'remember me' feature?
Confluence does not offer an option for disabling the 'Remember Me' feature. See the workaround.
Other Confluence cookies
There are several cookies that Confluence uses to store basic 'product presentation' states. Confluence users' authentication details are not stored by these cookies.
Cookie Key | Purpose | Cookie Contents | Expiry |
|---|---|---|---|
confluence.list. | Remembers the user's last chosen tab in the "list pages" section. | The name of the last selected tab. For example, list-content-tree | One year from the date it was set or was last updated. |
confluence.browse. | Remembers the user's last chosen tab in the "browse space" section | The name of the last selected tab. For example, space-pages | One year from the date it was set or was last updated. |
confluence-language | Remembers the user's language chosen on the login page. This cookie relates to a feature that allows a user to change Confluence's language from (and including) the login page, when the language presented to the user prior to logging in is not appropriate. | A locale relating to the chosen language. For example, de_DE | 360 days from the date it was set or was last updated. |
AJS.conglomerate. | Tracks which general tabs were last used or expansion elements were last opened or closed. | One or more key-value strings which indicate the states of your last general tab views or expansion elements. | One year from the date it is set or was last updated. |
Notes
The autocomplete feature in browser text fields (which are typically noticeable when a user logs in to Confluence) is a browser-specific feature, not a Confluence one. Confluence cannot enable or disable this autocompletion, which is typically set through a browser's settings.