Configuring Secure Administrator Sessions

Secure administrator sessions allows you to require administrators to re-enter their password before they can access administrative functions. This feature is sometimes known as "websudo" and is turned on by default. 

Start a secure administrator session

When an administrator attempts to access an admin function (including some space admin functions like delete space), they will be prompted to re-enter their password. This starts the secure administrator session. 

Administrators can click Drop access in the banner to manually end the session. This won't log them out of Confluence, it will just end the secure administrator session. 

Change the secure administrator session timeout

The secure administrator session has a rolling timeout which defaults to 10 minutes. If there's no activity for a period of time, the administrator will be logged out of the session. They'll remain logged in to Confluence. 

To change the timeout value:

  1. Go to  > General Configuration > Security Configuration
  2. Select Edit.
  3. Under Secure administrator sessions, enter the Minutes before automatic invalidation.
  4. Save your changes.

Turn off secure administrator sessions

If you're using single sign-on, or have other security measures in place, you may want to disable secure administrator sessions. We don't recommend doing this unless you need to. 

To turn off secure administrator sessions:

  1. Go to  > General Configuration > Security Configuration
  2. Select Edit.
  3. Under Secure administrator sessions, deselect the Enable checkbox.
  4. Save your changes. 

Troubleshooting 

Known issues with single sign-on and just-in-time user provisioning

You may need to disable secure administrator sessions if your users are not stored in Confluence's internal user directory. See  CONFSERVER-60263 - Getting issue details... STATUS  for more information and some suggested workarounds. 

Known issues for app developers

Secure administrator sessions can cause exceptions when developing against Confluence or deploying a plugin. See How do I develop against Confluence with Secure Administrator Sessions?

Note that REST and XML-RPC APIs are not affected by secure administration sessions.

Last modified on Aug 17, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.