Configuring Secure Administrator Sessions
Secure administrator sessions allow you to require administrators to re-enter their password before they can access administrative functions. This feature is sometimes known as "websudo" and is turned on by default.
Start a secure administrator session
When an administrator attempts to access an admin function (including some space admin functions like delete space), they will be prompted to re-enter their password. This starts the secure administrator session.
Administrators can select Drop access in the banner to manually end the session. This won't log them out of Confluence, it will just end the secure administrator session.
Change the secure administrator session timeout
The secure administrator session has a rolling timeout which defaults to 10 minutes. If there's no activity for a period of time, the administrator will be logged out of the session. They'll remain logged in to Confluence.
To change the timeout value:
- Go to Administration > General Configuration > Security Configuration.
- Select Edit.
- Under Secure administrator sessions, in the Minutes before automatic invalidation field, enter the needed value.
- Save your changes.
Turn off secure administrator sessions
If you're using single sign-on, or have other security measures in place, you may want to disable secure administrator sessions. We don't recommend doing this unless you need to.
To turn off secure administrator sessions:
- Go to Administration > General Configuration > Security Configuration.
- Select Edit.
- Under Secure administrator sessions, clear the Enable checkbox.
- Save your changes.
To add an extra layer of security to websudo operations, you can configure and enable the IP address/subnet allowlist for Jira. This means that certain superuser operations can only be performed from pre-approved IP addresses.
Troubleshooting
Known issues with single sign-on and just-in-time user provisioning
You may need to disable secure administrator sessions if your users are not stored in Confluence's internal user directory. See CONFSERVER-60263 - Getting issue details... STATUS for more information and some suggested workarounds.
Known issues for app developers
Secure administrator sessions can cause exceptions when developing against Confluence or deploying a plugin. See How do I develop against Confluence with Secure Administrator Sessions?
Note that REST and XML-RPC APIs are not affected by secure administration sessions.