Confluence protects access to its administrative functions by requiring a secure administration session to use the Confluence administration console or administer a space. When a Confluence administrator (who is logged into Confluence) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the Confluence/space administration console.
The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the Confluence/space administration console for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note, they will remain logged into Confluence). If the administrator does click an administration function, the timeout will reset.
To configure secure administrator sessions:
- Choose the cog icon , then choose General Configuration under Confluence Administration
- Choose Security Configuration in the left-hand panel.
- Choose Edit.
- Configure the setting as follows:
- To disable secure administrator sessions, uncheck the Enable check box next to Secure administrator sessions. When this setting is disabled, administrators will no longer be required to log into a secure session to access the administration console.
- To change the timeout for secure administrator sessions, update the value next to minutes before invalidation. The default timeout for a secure administration session is 10 minutes.
- Choose Save.
- Disabling password confirmation. Confluence installations that use a custom authentication mechanism may run into problems with the Confluence security measure that requires password confirmation. If necessary, you can set the
password.confirmation.disabledsystem property to disable the password confirmation functionality. See Recognised System Properties. See issue CONF-20958 "Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication".
- WebSudo. The feature that provides secure administrator sessions is also called 'WebSudo'.
- Manually ending a secure session. An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen. For example:
- Note for developers. Secure administrator sessions can cause exceptions when developing against Confluence or deploying a plugin. Please read this FAQ: How do I develop against Confluence with Secure Administrator Sessions? Note: The Confluence XML-RPC and REST APIs are not affected by secure administration sessions.