Data Center 9.4
Versions

Invalidating active user sessions

Managing users

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Unless a user has selected the Remember my login on this computer checkbox when logging into Bamboo, by default, their session will expire after 30 minutes of inactivity. If you need to force the invalidation of all active user sessions for a particular user, you can do that from the Bamboo web interface or through the REST API.

When a user changes their password, all their sessions except the one they used to request the password change will be automatically invalidated, and their rememberme token will be deleted from the database.

On this page:

Invalidating user sessions through the Bamboo web interface

To invalidate a user's all active sessions through the Bamboo web interface:

  1. From the top navigation bar, select
    Administration bamboo administration icon
    > User management.
  2. From the list on the Users page, select the user whose sessions you'd like to invalidate.
  3. In the top-right corner of the User details page, select Invalidate sessions.
  4. In the confirmation dialog, select Confirm.

Invalidating user sessions through the Bamboo REST API

To invalidate a user's all active sessions through the Bamboo REST API, call the following endpoint as an Administrator:

DELETE /rest/admin/latest/session/{username}

Replace {username} with the username of the account whose sessions you want to invalidate.

Invalidating persistent sessions

If you've enabled session persistence across Bamboo server restarts, sessions started before a restart can't be invalidated using any of the methods described on this page. In case you need to invalidate persistent sessions (potentially for security reasons), you can do so by deleting the file that stores session data and manually removing the rememberme token from the database.

To invalidate persistent sessions:

  1. Shut down Bamboo.
  2. Check the following directories for the SESSIONS.ser file and delete it from there:
    • $CATALINA_BASE/work/<ENGINE_NAME>/<HOSTNAME>/<APP_NAME>
    • $CATALINA_BASE/work/Catalina/localhost/ROOT
  3. Filter the rememberme_token table in your database by the name of the user whose sessions you want to invalidate and delete all rememberme tokens associated with them.


Last modified on May 25, 2023

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.