How to force all users of Atlassian on-prem products to re-authenticate their sessions on the browser (Server and Data Center)


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

There are times the application administrator may need to invalidate the session of all users accessing the Atlassian product from a browser and force them to authenticate again.

In general, Atlassian products rely on two cookies that identify a user session on a browser:

  • Tomcat cookie.
    • The default name is JSESSIONID or BITBUCKETSESSIONID depending on the product.
    • By default the values are managed in-memory by Tomcat.
  • Seraph cookie.
    • Also known as the remember me cookie with different (default) naming convention for each product.
    • By default the values are stored on the application database.
    • Bitbucket uses a different framework than Seraph.
  • Jetty cookie
    • The default name used by Fisheye/Crucible is FESESSIONID.

You may want to check each product's documentation to learn more about their cookies.


Currently there's no in-product feature to clear users' browser sessions as detailed in the following issues.

Key Summary T Updated Status
Loading...
Refresh


The remainder of the document describes workarounds to invalidate cookies' values and forcing users to authenticate again.


This document is provided as-is

Atlassian on-prem products are flexible enough to allow some customization, however Atlassian's Support Offerings do not cover assistance on this area. Consequently, Atlassian cannot guarantee providing any support for them.

If any assistance with customization is required, please check one of the following channels:

Environment

This document covers steps to the following Atlassian on-prem products:

  • Bamboo Data Center or Server.
  • Bitbucket Data Center or Server.
  • Confluence Data Center or Server.
  • Jira Data Center or Server (Core, Software and Service Management).
  • Fisheye/Crucible Server

Workaround

Clearing the remember me token database table

This workaround relies on deleting known remember me token values from the database and then restarting the application.

With the application restart any Tomcat cookie value is reset, since this is managed in-memory.
Deleting known remember me values invalidates the token stored on the users' browsers.

Both of the above changes will force any user to re-authenticate as their cookies will be invalid.

It's important to note this is a disruptive change to all users.

Procedure

Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.

  1. Check the current values stored on the database.

    Expand to see the SQL query...
    select * from rememberme_token;
    select * from sta_remember_me_token;
    select * from remembermetoken;
    select * from remembermetoken;
    select * from cru_login_cookie;
  2. Delete all values from the table storing the remember me tokens.

    Expand to see the SQL query...

    1. In the upper-right corner of the screen, select Administration  > System.
    2. Under Security (the left-side panel), select Remember my login to open the Remember my login for all users page.
    3. Select Clear all to remove all "remember my login" tokens from the Jira server.


    If you need to delete it from the Jira database directly...

    Deleting directly from the Jira database is only needed if you can't access the above feature from the Jira administration.

    delete from remembermetoken;




    delete from rememberme_token;
    delete from sta_remember_me_token;
    delete from remembermetoken;
    delete from cru_login_cookie;
  3. Restart the application so the changes are applied to the in-memory cache and to clear Tomcat session cookies.
    1. When running the application on a cluster, then the restart must my be applied to each node. A rolling restart is enough, meaning you won't have a full downtime.



See also

Using HTTP Cookies - Mozilla

Bamboo cookies

Confluence Cookies

Jira application cookies

Prevent automatic login

Atlassian Seraph



Last modified on Jul 30, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.