How to change the default session timeout to avoid user logout in Jira
The information on this page relates to customizations in JIRA Applications. Consequently, Atlassian Support cannot guarantee the provision of any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.
Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
By default, Jira relies on two cookies to manage a user session:
JSESSIONID
managed by Tomcat. By default, it's considered a session cookie.
Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.
seraph.rememberme.cookie
managed by the application through the Seraph Framework.- This cookie is used when the Remember me option is selected during the login.
- This option is also enforced when configuring SSO as described in SSO for Atlassian Server and Data Center App with default settings.
- By default, this is considered a permanent cookie.
Permanent cookies are deleted at a date specified by the
Expires
attribute, or after a period of time specified by theMax-Age
attribute.
When seraph.rememberme.cookie
isn't set and the only cookie identifying the session is JSESSIONID
, the session is lost. So, the user should authenticate again when:
- The user closes the browser.
- The application node is restarted.
- The user is sent to a different application node on a clustered Data Center.
- The user logs out.
- The user is idle for five hours. (300 minutes is the default configuration).
This doesn't apply when the user is working on a dashboard and gadgets are auto-refreshing. In this case, the session isn't lost even if the user is idle on one of the dashboards for more than 60 minutes.
When seraph.rememberme.cookie
is set, its default max-age
is configured for 14 days (1,209,600 seconds). After that, the browser automatically deletes the cookie, so the above-mentioned rules will apply.
But while this cookie is valid, it has precedence over the JSESSIONID
. So, the session isn't lost when:
- The browser is closed.
- The application node is restarted.
- The user is sent to a different application node on a clustered Data Center.
- The user is idle on the browser.
In case the Jira administrator needs to adjust the session timeout for users, they can adjust the configuration of these two cookies depending on the goal.
They can change the following configuration files:
<jira-install>/conf/web.xml
This is where you manage the Tomcat session cookie (
JSESSIONID
) that will be assigned globally on the webserver.
<jira-install>/atlassian-jira/WEB-INF/web.xml
- This is where you manage the Tomcat session cookie (
JSESSIONID
) that will be assigned to the Jira application. - The value adjusted here has precedence over the previous file.
- This is where you manage the Tomcat session cookie (
<jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
- The values adjusted in this file are applied to
seraph.rememberme.cookie
.
- The values adjusted in this file are applied to
When you change the session timeout via the XML files, your changes won't apply to dashboard sessions. So, these sessions won't be lost even if the user is idle on one of the dashboards for more than 60 minutes.
Environment
Jira Data Center and Server (Core, Software, and Service Management).
Solution
Check a few ways of changing session timeouts.
Change the idle timeout
Let's suppose you want to invalidate a session when the user is idle for two hours unless the Remember me option is selected. (This is an example and the value should be changed based on your needs.)
Then the only file you should modify is <jira-install>/atlassian-jira/WEB-INF/web.xml
. Here's what you should do:
Edit
<jira-install>/atlassian-jira/WEB-INF/web.xml
and search for a block similar to the following. (This is the default configuration.)<!-- session config --> <session-config> <session-timeout>300</session-timeout> </session-config>
Adjust this configuration as follows. The session timeout is configured in minutes.
<!-- session config --> <session-config> <session-timeout>120</session-timeout> </session-config>
- Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.
If you're running Jira on a cluster, apply the changes on every node.
Change the lifetime of the remember me cookie
Let's suppose you want to change the lifetime of the seraph.rememberme.cookie
cookie for two days. (This is an example and the value should be changed based on your needs.)
Then the only file you should modify is <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
.
Usually, this is the configuration you should change when you need to modify the session timeout.
Edit
<jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
and search for a configuration similar to the following. (This is the default configuration.)<!-- This property sets the default remember me cookie max age in seconds. It is currently set to 2 weeks --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>1209600</param-value> </init-param>
Adjust the configuration as follows. The value is adjusted in seconds.
<!-- This property sets the default remember me cookie max age in seconds. It is currently set to 2 days --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>172800</param-value> </init-param>
- Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.
If you're running Jira on a cluster, apply the changes on every node.
Forcefully logout users sometime after they authenticated
Let's suppose you have strict security policies and you need to expire a session eight hours after the user authenticated, no matter if the user is idle or not. (This is an example and the value should be changed based on your needs.)
In such case, you can log the user out even when they're idle on a dashboard. But sometimes, this is the unwanted behavior, so you should be careful when choosing this solution. You may go for it only when applying both the above-mentioned solutions isn't enough to resolve your issue.
Here are the recommended configuration changes you should make in each of the files.
Edit
<jira-install>/conf/web.xml
and search for a block similar to the following. This is the default configuration.<session-config> <session-timeout>30</session-timeout> </session-config>
Adjust the configuration as follows.
<session-config> <session-timeout>480</session-timeout> <tracking-mode>COOKIE</tracking-mode> <cookie-config> <max-age>28800</max-age> </cookie-config> </session-config>
session-timeout
is configured in minutes, whilemax-age
is configured in seconds.- Adding
max-age
toJSESSIONID
turns it into a permanent cookie. - When the user is idle for session-timeout minutes, the user session will be cleared.
- After max-age expires, the user will be forced to log out.
- max-age can be set to different value from session-timeout
Edit
<jira-install>/atlassian-jira/WEB-INF/web.xml
and search for a block similar to the following. This is the default configuration.<!-- session config --> <session-config> <session-timeout>300</session-timeout> </session-config>
Adjust this configuration as follows.
<!-- session config --> <session-config> <session-timeout>480</session-timeout> <tracking-mode>COOKIE</tracking-mode> <cookie-config> <max-age>28800</max-age> </cookie-config> </session-config>
Edit
<jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
and add the following initialization parameter.<!-- This property sets the default remember me cookie max age in seconds. It is currently set to 8 hours --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>28800</param-value> </init-param>
- Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.
If you're running Jira on a cluster, apply the changes on every node.
Additional details
If you're looking for a similar document for other Atlassian products, check the following articles:
- Bamboo: How to change Bamboo user session timeout
- Bitbucket: How do I change the default session timeout
- Confluence: How to adjust the session timeout for Confluence
Possible causes if the changes you made doesn't work
- There is a known issue that the set timeout might be changed by the Atlassian Bot Session Killer, as described here.
If that happens, you should first disable the bot and then change the session again. Refer to When using a third-party authenticator, user sessions may terminate earlier than expected when idle for additional details.
If you're running multiple Atlassian applications on the same server, Jira users may still get consistently logged out. In this case, you should try to change the context path according to the Logging into Another Atlassian Application Logs Me Out of Confluence.
Also, check the following tickets for more details:
- JRA-60844Getting issue details... STATUS
- JRASERVER-73080Getting issue details... STATUS - It is possible for 3rd party apps to interfere with this behavior. You can temporarily enable Safe Mode (disables all installed apps) and check if the behaviour persists to confirm if this applies to you: Disabling and enabling apps \- Disabling or enabling all apps (using Safe Mode)
- You have modified your Jira's seraph-config.xml file.
Modification to this file is normally done for custom SSO implementation. Custom SSO implementation may have their own timeout configuration which interfere with Jira's default timeout settings. To overcome this, you will have to either- Disable the custom SSO by reverting the changes you made to seraph-config.xml; OR
- Configure the timeout in your SSO application. For example, if you are using Crowd SSO, you can configure the session timeout based on this documentation: Crowd - Session configuration