Change the default session timeout to avoid user logout in Jira server

Still need help?

The Atlassian Community is here for you.

Ask the community

The information on this page relates to customizations in JIRA Applications. Consequently, Atlassian Support cannot guarantee the provision of any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.

Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.

Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.

Summary

By default, Jira relies on two cookies to manage a user session:

  • JSESSIONID managed by Tomcat. By default, it's considered a session cookie.

Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.

Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.

When seraph.rememberme.cookie isn't set and the only cookie identifying the session is JSESSIONID, the session is lost. So, the user should authenticate again when:

  • The user closes the browser.
  • The application node is restarted.
  • The user is sent to a different application node on a clustered Data Center.
  • The user logs out.
  • The user is idle for five hours. (300 minutes is the default configuration).

This doesn't apply when the user is working on a dashboard and gadgets are auto-refreshing. In this case, the session isn't lost even if the user is idle on one of the dashboards for more than 60 minutes.

When seraph.rememberme.cookie is set, its default max-age is configured for 14 days (1,209,600 seconds). After that, the browser automatically deletes the cookie, so the above-mentioned rules will apply.

But while this cookie is valid, it has precedence over the JSESSIONID. So, the session isn't lost when:

  • The browser is closed.
  • The application node is restarted.
  • The user is sent to a different application node on a clustered Data Center.
  • The user is idle on the browser.

In case the Jira administrator needs to adjust the session timeout for users, they can adjust the configuration of these two cookies depending on the goal.

They can change the following configuration files:

  • <jira-install>/conf/web.xml
    • This is where you manage the Tomcat session cookie (JSESSIONID) that will be assigned globally on the webserver.

  • <jira-install>/atlassian-jira/WEB-INF/web.xml
    • This is where you manage the Tomcat session cookie (JSESSIONID) that will be assigned to the Jira application.
    • The value adjusted here has precedence over the previous file.
  • <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
    • The values adjusted in this file are applied to seraph.rememberme.cookie.

When you change the session timeout via the XML files, your changes won't apply to dashboard sessions. So, these sessions won't be lost even if the user is idle on one of the dashboards for more than 60 minutes.

Environment

Jira Data Center and Server (Core, Software, and Service Management).

Solution

Check a few ways of changing session timeouts.

Change the idle timeout

Let's suppose you want to invalidate a session when the user is idle for two hours unless the Remember me option is selected. (This is an example and the value should be changed based on your needs.)

Then the only file you should modify is <jira-install>/atlassian-jira/WEB-INF/web.xml. Here's what you should do:

  1. Edit <jira-install>/atlassian-jira/WEB-INF/web.xml and search for a block similar to the following. (This is the default configuration.)

        <!-- session config -->
        <session-config>
            <session-timeout>300</session-timeout>
        </session-config>
  2. Adjust this configuration as follows. The session timeout is configured in minutes.

        <!-- session config -->
        <session-config>
            <session-timeout>120</session-timeout>
        </session-config>
  3. Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.

If you're running Jira on a cluster, apply the changes on every node.

Change the lifetime of the remember me cookie

Let's suppose you want to change the lifetime of the seraph.rememberme.cookie cookie for two days. (This is an example and the value should be changed based on your needs.)

Then the only file you should modify is <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml.

Usually, this is the configuration you should change when you need to modify the session timeout.

  1. Edit <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml and search for a configuration similar to the following. (This is the default configuration.)

            <!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 weeks -->
            <init-param>
                <param-name>autologin.cookie.age</param-name>
                <param-value>1209600</param-value>
            </init-param>
  2. Adjust the configuration as follows. The value is adjusted in seconds.

            <!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 days -->
            <init-param>
                <param-name>autologin.cookie.age</param-name>
                <param-value>172800</param-value>
            </init-param> 
  3. Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.

If you're running Jira on a cluster, apply the changes on every node.

Forcefully logout users sometime after they authenticated

Let's suppose you have strict security policies and you need to expire a session eight hours after the user authenticated, no matter if the user is idle or not. (This is an example and the value should be changed based on your needs.)

In such case, you can log the user out even when they're idle on a dashboard. But sometimes, this is the unwanted behavior, so you should be careful when choosing this solution. You may go for it only when applying both the above-mentioned solutions isn't enough to resolve your issue.

Here are the recommended configuration changes you should make in each of the files.

  1. Edit <jira-install>/conf/web.xml and search for a block similar to the following. This is the default configuration.

        <session-config>
            <session-timeout>30</session-timeout>
        </session-config>
  2. Adjust the configuration as follows.

        <session-config>
            <session-timeout>480</session-timeout>
            <tracking-mode>COOKIE</tracking-mode>
            <cookie-config> 
              <max-age>28800</max-age> 
            </cookie-config>
        </session-config>
    • session-timeout is configured in minutes, while max-age is configured in seconds.
    • Adding max-age to JSESSIONID turns it into a permanent cookie.

  3. Edit <jira-install>/atlassian-jira/WEB-INF/web.xml and search for a block similar to the following. This is the default configuration.

        <!-- session config -->
        <session-config>
            <session-timeout>300</session-timeout>
        </session-config>
  4. Adjust this configuration as follows.

        <!-- session config -->
    	<session-config>
            <session-timeout>480</session-timeout>
            <tracking-mode>COOKIE</tracking-mode>
            <cookie-config> 
              <max-age>28800</max-age> 
            </cookie-config>
        </session-config>
  5. Edit <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml and add the following initialization parameter.

             <!-- This property sets the default remember me cookie max age in seconds. It is currently set to 8 hours -->
            <init-param>
                <param-name>autologin.cookie.age</param-name>
                <param-value>28800</param-value>
            </init-param> 
  6. Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.

If you're running Jira on a cluster, apply the changes on every node.

Additional details

There is a known issue that the set timeout might be changed by the Atlassian Bot Session Killer, as described here.

If that happens, you should first disable the bot and then change the session again. Refer to When using a third-party authenticator, user sessions may terminate earlier than expected when idle for additional details.

If you're running multiple Atlassian applications on the same server, Jira users may still get consistently logged out. In this case, you should try to change the context path according to the Logging into Another Atlassian Application Logs Me Out of Confluence.

 Also, check the following tickets for more details:

JRA-60844 - Getting issue details... STATUS

JRASERVER-73080 - Getting issue details... STATUS

If you're looking for a similar document for other Atlassian products, check the following articles:


Last modified on Aug 9, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.