Invalidating active user sessions
Unless a user has selected the Remember my login on this computer checkbox when logging into Bamboo, by default, their session will expire after 30 minutes of inactivity. If you need to force the invalidation of all active user sessions for a particular user, you can do that from the Bamboo web interface or through the REST API.
When a user changes their password, all their sessions except the one they used to request the password change will be automatically invalidated, and their rememberme
token will be deleted from the database.
Invalidating user sessions through the Bamboo web interface
To invalidate a user's all active sessions through the Bamboo web interface:
- From the top navigation bar, selectAdministration> User management.
- From the list on the Users page, select the user whose sessions you'd like to invalidate.
- In the top-right corner of the User details page, select Invalidate sessions.
- In the confirmation dialog, select Confirm.
Invalidating user sessions through the Bamboo REST API
To invalidate a user's all active sessions through the Bamboo REST API, call the following endpoint as an Administrator:
DELETE /rest/admin/latest/session/{username}
Replace {username}
with the username of the account whose sessions you want to invalidate.
Invalidating persistent sessions
If you've enabled session persistence across Bamboo server restarts, sessions started before a restart can't be invalidated using any of the methods described on this page. In case you need to invalidate persistent sessions (potentially for security reasons), you can do so by deleting the file that stores session data and manually removing the rememberme
token from the database.
To invalidate persistent sessions:
- Shut down Bamboo.
- Check the following directories for the
SESSIONS.ser
file and delete it from there:$CATALINA_BASE/work/<ENGINE_NAME>/<HOSTNAME>/<APP_NAME>
$CATALINA_BASE/work/Catalina/localhost/ROOT
- Filter the
rememberme_token
table in your database by the name of the user whose sessions you want to invalidate and delete allrememberme
tokens associated with them.