How to adjust the session timeout for Confluence
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
In Confluence there are two Session Cookies:
JSESSIONID: which is used and managed by Tomcat.By default this is considered a Session cookie.
Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.
seraph.confluence: which is used by the Confluence application and managed through the Seraph Framework.- This cookie is used when the remember me option is checked by the user during the login.
It is important to note that this option is enforced on clustered Confluence Data Center and the user won't see this on the login page. See How to configure the 'Remember Me' feature in Confluence if you want to change this.
- This option is also enforced when configuring SSO through the SSO for Atlassian Server and Data Center App with default settings.
By default this is considered a Permanent cookie.
Permanent cookies are deleted at a date specified by the
Expiresattribute, or after a period of time specified by theMax-Ageattribute
When seraph.confluence isn't set and the only cookie identifying the session is the JSESSIONID, then the session is lost (user needs to authenticate again) when:
- User closes the browser.
- The application node is restarted.
- The user is sent to a different application node on a clustered Data Center.
- The user logs out.
- User is idle for 60 minutes.
- This doesn't apply when working on the Confluence Editor, meaning the session isn't lost if the user is idle on the Editor for more than 60 minutes.
When seraph.confluence is set its default max-age is configured for 14 days (1209600 seconds), when the browser automatically deletes the cookie and the rules detailed above would apply.
However, while this cookie is valid it has precedence over the JSESSIONID and then a user does not lose a session when:
- The browser is closed.
- The application node is restarted.
- The user is sent to a different application node on a clustered Data Center.
- The user is idle on the browser.
In case the Confluence administrator needs to adjust the session timeout of a user, then we need to adjust the expiration time of these two cookies.
Changes can be applied to the following configuration files:
<confluence-install>/conf/web.xmlThis is where we manage Tomcat session cookie that would be assigned globally on the webserver.
<confluence-install>/confluence/WEB-INF/web.xml- This is where we manage Tomcat session cookie (
JSESSIONID) that would be assigned to the Confluence application. - The value adjusted here has precedence over the previous file.
- This is where we manage Tomcat session cookie (
<confluence-install>/confluence/WEB-INF/classes/seraph-config.xml- The value adjusted in this file is applied to
seraph.confluencecookie. - This is the main configuration when Confluence is clustered. See How to configure the 'Remember Me' feature in Confluence if you want to change this.
- The value adjusted in this file is applied to
Environment
Confluence Data Center and Server.
Solution
Change the idle timeout
Let's suppose you want to invalidate a session when the user is idle for 5 hours (this is just an example and the value should be changed based on your needs), unless the remember me option is checked.
Then the only file you need to touch is <confluence-install>/confluence/WEB-INF/web.xml.
Edit
<confluence-install>/confluence/WEB-INF/web.xmland search for a block similar to the below – this is the default configuration.<session-config> <session-timeout>60</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config>Adjust this configuration as below – session timeout is configured in minutes.
<session-config> <session-timeout>300</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config>- Restart Confluence so the changes are applied.
When running Confluence on a cluster, then the above changes must be applied on every node.
A rolling restart is enough, meaning you won't have a full downtime.
Change the lifetime of the remember me cookie
Let's suppose you want to change the lifetime of the seraph.confluence cookie for 2 days (this is just an example and the value should be changed based on your needs).
Then the only file you need to touch is <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml.
Usually, this is the configuration you would change when you need to modify the session timeout.
Edit
<confluence-install>/confluence/WEB-INF/classes/seraph-config.xmland add the following initialization parameter.<!-- session-timeout --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>172800</param-value> </init-param>By default the
autologin.cookie.ageparameter isn't set in the file. If you made changes before you may want to search for it and modify the value there.
The above block of configuration should be included within the<parameters>tags as below.
- Restart Confluence so the changes are applied.
When running Confluence on a cluster, then the above changes must be applied on every node.
A rolling restart is enough, meaning you won't have a full downtime.
Forcefully logout users sometime after they authenticated
Let's suppose you have strict security policies and you need to expire a user session 8 hours (this is just an example and the value should be changed based on your needs) after they authenticated, no matter if the user is idle or not.
This will logout the user even if they are actively working on the Confluence editor – this is sometimes an unwanted behavior so you must be sure when choosing this option.
You may choose this option only when the combination of both the above solutions are not enough.
Below are the recommended configuration changes you need to perform on each of the files.
Edit
<confluence-install>/conf/web.xmland search for a block similar to the below – this is the default configuration.<session-config> <session-timeout>30</session-timeout> </session-config>Adjust the configuration as below.
<session-config> <session-timeout>480</session-timeout> <tracking-mode>COOKIE</tracking-mode> <cookie-config> <max-age>28800</max-age> </cookie-config> </session-config>session-timeoutis configured in minutes whilemax-ageis configured in seconds.- Adding a
max-ageto theJSESSIONIDturns it into a permanent cookie.
Edit
<confluence-install>/confluence/WEB-INF/web.xmland search for a block similar to the below – this is the default configuration.<session-config> <session-timeout>60</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config>Adjust this configuration as below.
<session-config> <session-timeout>480</session-timeout> <tracking-mode>COOKIE</tracking-mode> <cookie-config> <max-age>28800</max-age> </cookie-config> </session-config>Edit
<confluence-install>/confluence/WEB-INF/classes/seraph-config.xmland add the following initialization parameter.<!-- session-timeout --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>28800</param-value> </init-param>By default the
autologin.cookie.ageparameter isn't set in the file. If you made changes before you may want to search for it and modify the value there.
The above block of configuration should be included within the<parameters>tags as below.- Restart Confluence so the changes are applied.
When running Confluence on a cluster, then the above changes must be applied on every node.
A rolling restart is enough, meaning you won't have a full downtime.
See also
HTTP authentication with Seraph
How to configure the 'Remember Me' feature in Confluence