JIRA is now available as three separate applications, JIRA Software, JIRA Service Desk, and JIRA Core. For more information on administering these applications, refer to the Administering JIRA Applications documentation.

Configuring Secure Administrator Sessions

JIRA protects access to its administrative functions by requiring a secure administration session in order to use the JIRA administration screens. (This is also known as websudo.) When a JIRA administrator (who is logged into JIRA) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the JIRA administration screens.

The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the JIRA administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into JIRA). If the administrator does click an administration function, the timeout will reset.

Note that Project Administration functions (as defined by the 'Project Administrator' permission) do not require a secure administration session.

On this page:

Manually ending a Secure Administrator Session

An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.

Disabling Secure Administrator Sessions

Secure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your JIRA site (e.g. if you are using a custom authentication mechanism), you can disable this feature by specifying the following line in your jira-config.properties file:

(info) You will need to restart your JIRA server for this setting to take effect.

Changing the Timeout

To change the number of minutes of inactivity after which a secure administator session will time out, specify the jira.websudo.timeout property (in your jira-config.properties file) whose value is the number of minutes of inactivity required before a secure administration session times out.

For example, the following line in your jira-config.properties file will end a secure administration session in 10 minutes:

(info) You will need to restart your JIRA server for this setting to take effect.

Developer Notes

If you have written a plugin that has webwork actions in the JIRA Administration section, those actions should have the @WebSudoRequired annotation added to the class (not the method or the package, unlike Confluence).

Please also see How do I develop against JIRA with Secure Administrator Sessions? and Adding WebSudo Support to your Plugin.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

20 Archived comments

  1. User avatar


    this :

    jira.websudo.is.disabled = true

     doesn't work on my freshly installed Jira 4.4.1


    06 Oct 2011
    1. User avatar

      Giles Gaskell

      Hi there,

      I have tried this myself on a freshly installed JIRA 4.4 installation and an upgrade of that installation to JIRA 4.4.1. In both scenarios, this setting worked as expected. Could you please confirm the following:

      • You have added this property to your jira-config.properties file located at the root of your JIRA Home Directory.
        (info) You need to create this file and property if they don't exist.
      • You have restarted your JIRA installation to make this newly-added property take effect. (We've just clarified this in the documentation above.)



      10 Oct 2011
  2. User avatar


    The code "jira.websudo.is.disabled = true" do works on a new instance installation of JIRA 4.4.1 (Upgrade from 4.1.12). If I access my JIRA site through Firefox and IE 8 in HTTP mode, this stops the administration prompt from showing up.  However, once I switched to HTTPS mode (with the self-signed certificate), this administration prompt still shows up in IE 8, even though I add the self-signed certificate installed to the Trust Root store.  The only way to get ride of it is to change the "Allow Mixed Content" option in IE 8 to "Prompt", but this cause more annoying popups.  Firefox doesn't have this problem.  Looks like Atlassian still working on this.


    19 Oct 2011
  3. User avatar

    John Dzilvelis

    To change the timeout, I found that I had to edit the appropriate section of atlassian-jira/WEB-INF/classes/jpm.xml. 

    In my case, i wanted to increase the timeout instead of disabling it.

    Editing ( after creating) the jira-config.properties file did not seem to work. 











    19 Oct 2011
    1. User avatar

      Jens Koblitz

      That did the Trick on my OSX-Instance


      Thank you!

      10 Nov 2013
  4. User avatar


    This doesnt work on JIRA 5.1.6. I still get prompted multiple times within the same few minutes when Im accessing Admin pages. Pretty annoying to say the least

    16 Oct 2012
    1. User avatar

      Andrew Lui [Atlassian Technical Writer]


      Have you tried setting the timeout for your secure administrator sessions (see 'Changing the Timeout' section above)? If you've changed it to a suitably long period and are still getting prompted for the timeout, can I suggest raising an issue in our support system to get further help: https://support.atlassian.com/ (If you do not have a login for our support system, you can sign up for a free one here: https://support.atlassian.com/secure/Signup!default.jspa)

      Kind Regards,


      16 Oct 2012
  5. User avatar

    IT Omnitracs

    Doesn't work here either.

    Click :admin page: (no prompt)

    Click : application link (prompt for password)

    Administrator Access

    If you were sent to this page from a link obtained from an untrusted source please proceed with caution or validate the link source before continuing.


    Untrusted source? Not sure why Https link with self signed is problem?



    25 Apr 2013
    1. User avatar

      Penny Wyatt

      Secure Administrator Sessions is intended only for screens accessible only by administrators and system administrators. The main admin page contains no sensitive data or operations, and is accessible by project administrators, so does not require it.

      26 Apr 2013
  6. User avatar

    IT Omnitracs

    I figured out what the problem was:

    jira-config.properties was in 


    and it should be


    works as expected now!

    26 Apr 2013
    1. User avatar

      Adam Vondersaar

      It took me far too long to figure this out. When I think base install directory I think where I put the files.

      08 Oct 2014
  7. User avatar


    I have created the properties file and added in the line as described above, restarted the services but am still seeing the issue ? Can anyone help with this ?

    06 Jan 2014
  8. User avatar

    Susan Kraft-yorke

    How do we set timeout for On Demand instances?

    02 Apr 2014
    1. User avatar

      Warren Thompson

      Hi Susan,

      As JIRA OnDemand is hosted for you, it is not possible to change the timeout period from 10 minutes. This is set for our users security. I hope it doesn't inconvenience you too much! 



      14 Apr 2014
      1. User avatar

        Sorin Sbarnea (Citrix)

        Why not stating in the first paragraph of the article that this workaround doesn't work with ON-DEMAND version?

        This "security" feature is more than a pain than security, it break any automation attempts. For example we cannot delete projects because there is no REST for it and the normal web interface chokes due to this feature.

        16 Jul 2014
      1. User avatar

        Susan Kraft-yorke

        Hi Warren,

        10 minutes? We never get logged out. We lock our OS as a precautionary device.

        16 Jul 2014
  9. User avatar

    David Hergert

    I wish there was a way to do this via the UI like in Confluence. (sad)

    22 Jul 2014
  10. User avatar

    Duncan Fletcher

    For the benefit of others, not only does this not apply to JIRA OnDemand (clearly - you need access to the server to edit such settings) but it turns out that websudo is not available at all in Cloud instances. Hopefully it takes others less time to find this note than it took me to find that out!

    30 Jul 2014
  11. User avatar

    Derek Sheeman

    "and restart jira" = fail

    This needs to be a checkbox in the system settings.

    16 Sep 2014
  12. User avatar

    Blazej Olszyca

    Is there any possibility to turn the secure administrator sessions back on after we turned it off?

    We tried changing the line to

    jira.websudo.is.disabled = false

    and even removing the line completely. Nothing works.

    05 Mar 2015
Powered by Confluence and Scroll Viewport