Page tree
Skip to end of metadata
Go to start of metadata

Atlassian OnDemand uses Seraph, an open source framework, for HTTP cookie authentication.

You can read about cookies on the Wikipedia page.

Authentication cookies

The following cookies are in use:

  • The JSESSIONID cookie is created by each individual application server and used for session tracking purpose for each product. This cookie contains a random string and the cookie expires at the end of every session or when the browser is closed.
  • The studio.crowd.tokenkey authentication cookie is used for single sign-on (SSO) between Atlassian OnDemand's applications. Like the JSESSIONID cookie, this cookie also contains a random string and the cookie expires at the end of every session or when the browser is closed.
  • For the original login functionality: The 'remember my login' cookie (aka the 'remember me' cookie), seraph.rememberme.cookie, is generated by Atlassian OnDemand when the user selects the Remember my login on this computer check box on the login page.

  • For the new login functionality: The 'remember my login' cookie (aka the 'remember me' cookie), ondemand.autologin, is generated by Atlassian OnDemand when the user selects the Remember me check box on the login page.

On this page:

The 'remember my login' cookie

The 'remember my login' cookie is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. Atlassian OnDemand generates this cookie when the user selects the Remember my login on this computer check box or Remember me on the login page.

  • For the original login functionality: The 'remember me' cookie key is seraph.rememberme.cookie.
  • For the new login functionality: The 'remember me' cookie key is ondemand.autologin.

Cookie key and contents

The cookie contains a unique identifier plus a securely-generated random string (i.e. token). This token is generated by Atlassian OnDemand and is also stored for the user by Atlassian OnDemand.

Use of cookie for authentication

When a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, Atlassian OnDemand will match the 'remember my login' cookie (if present) against the token (also if present), stored for the user by Atlassian OnDemand.

If the random string matches the value stored in the database and the cookie has not expired, the user is authenticated.

Life of 'remember my login' cookies

The value is the system default value and is not configurable.

  • For the original login functionality: The life of the remember me cookies is 14 days.
  • For the new login functionality: The life of the remember me cookies is 30 days

Other cookies

There are several cookies in OnDemand that are used for storing basic presentation states, such as the number of log lines to show, and which tab was previously selected etc.. They are:

Cookie KeyPurposeCookie ContentsExpiry
atlassian.xsrf.token

Helps prevent XSRF attacks. Ensures that during a user's session, browser requests sent to an Atlassian OnDemand instance are originated from that OnDemand instance. For more information about XSRF checking by JIRA, see Form Token Checking on the Atlassian Developers site.

Your Atlassian OnDemand server's Server ID, a securely-generated random string (i.e. token) and a flag that indicates whether or not the user was logged in at the time the token was generated.At the end of every session or when the browser is closed.
studio.project.rec.used.cookieStores the most recently used projects. Used by Atlassian OnDemand to track recently viewed projects for the user.The project keys of all the recently viewed projects, each seperated by the string '-_-'.One year from the date it is set or was last updated.
AJS.conglomerate.cookie

Tracks which general tabs were last used or expansion elements were last opened or closed.

One or more key-value strings that indicate the states of your last general tab views or expansion elements.One year from the date it is set or was last updated.

Related topics

Confluence Cookies

July 2012: For information about the new login functionality.