Summary

By default, Jira relies on two cookies to manage a user session:

• JSESSIONID managed by Tomcat. By default, it's considered a session cookie.

Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.

• seraph.rememberme.cookie managed by the application through the Seraph Framework.
  • This cookie is used when the Remember me option is selected during the login.
  • This option is also enforced when configuring SSO as described in SSO for Atlassian Server and Data Center App with default settings.
  • By default, this is considered a permanent cookie.

Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.

When seraph.rememberme.cookie isn't set and the only cookie identifying the session is JSESSIONID, the session is lost. So, the user should authenticate again when:

• The user closes the browser.
• The application node is restarted.
• The user is sent to a different application node on a clustered Data Center.
• The user logs out.
• The user is idle for five hours. (300 minutes is the default configuration).
  
  

When seraph.rememberme.cookie is set, its default max-age is configured for 14 days (1,209,600 seconds). After that, the browser automatically deletes the cookie, so the above-mentioned rules will apply.

But while this cookie is valid, it has precedence over the JSESSIONID. So, the session isn't lost when:

• The browser is closed.
• The application node is restarted.
• The user is sent to a different application node on a clustered Data Center.
• The user is idle on the browser.

In case the Jira administrator needs to adjust the session timeout for users, they can adjust the configuration of these two cookies depending on the goal.

They can change the following configuration files:

• <jira-install>/conf/web.xml

  • This is where you manage the Tomcat session cookie (JSESSIONID) that will be assigned globally on the webserver.

• <jira-install>/atlassian-jira/WEB-INF/web.xml
  
  • This is where you manage the Tomcat session cookie (JSESSIONID) that will be assigned to the Jira application.
  • The value adjusted here has precedence over the previous file.
• <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
  
  • The values adjusted in this file are applied to seraph.rememberme.cookie.

Environment

Jira Data Center and Server (Core, Software, and Service Management).

Solution

Check a few ways of changing session timeouts.

Change the idle timeout

Let's suppose you want to invalidate a session when the user is idle for two hours unless the Remember me option is selected. (This is an example and the value should be changed based on your needs.)

Then the only file you should modify is <jira-install>/atlassian-jira/WEB-INF/web.xml. Here's what you should do:

1. Edit <jira-install>/atlassian-jira/WEB-INF/web.xml and search for a block similar to the following. (This is the default configuration.)

       <!-- session config -->
       <session-config>
           <session-timeout>300</session-timeout>
       </session-config>

2. Adjust this configuration as follows. The session timeout is configured in minutes.

       <!-- session config -->
       <session-config>
           <session-timeout>120</session-timeout>
       </session-config>

3. Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.

If you're running Jira on a cluster, apply the changes on every node.

Change the lifetime of the remember me cookie

Let's suppose you want to change the lifetime of the seraph.rememberme.cookie cookie for two days. (This is an example and the value should be changed based on your needs.)

Then the only file you should modify is <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml.

Usually, this is the configuration you should change when you need to modify the session timeout.

1. Edit <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml and search for a configuration similar to the following. (This is the default configuration.)

           <!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 weeks -->
           <init-param>
               <param-name>autologin.cookie.age</param-name>
               <param-value>1209600</param-value>
           </init-param>

2. Adjust the configuration as follows. The value is adjusted in seconds.

           <!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 days -->
           <init-param>
               <param-name>autologin.cookie.age</param-name>
               <param-value>172800</param-value>
           </init-param> 

3. Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.

If you're running Jira on a cluster, apply the changes on every node.

Forcefully logout users sometime after they authenticated

Let's suppose you have strict security policies and you need to expire a session eight hours after the user authenticated, no matter if the user is idle or not. (This is an example and the value should be changed based on your needs.)

In such case, you can log the user out even when they're idle on a dashboard. But sometimes, this is the unwanted behavior, so you should be careful when choosing this solution. You may go for it only when applying both the above-mentioned solutions isn't enough to resolve your issue.

Here are the recommended configuration changes you should make in each of the files.

1. Edit <jira-install>/conf/web.xml and search for a block similar to the following. This is the default configuration.

       <session-config>
           <session-timeout>30</session-timeout>
       </session-config>

2. Adjust the configuration as follows.

       <session-config>
           <session-timeout>480</session-timeout>
           <tracking-mode>COOKIE</tracking-mode>
           <cookie-config> 
             <max-age>28800</max-age> 
           </cookie-config>
       </session-config>

   • session-timeout is configured in minutes, while max-age is configured in seconds.
   • Adding max-age to JSESSIONID turns it into a permanent cookie.
   • When the user is idle for session-timeout minutes, the user session will be cleared.
   • After max-age expires, the user will be forced to log out.
   • max-age can be set to different value from session-timeout

3. Edit <jira-install>/atlassian-jira/WEB-INF/web.xml and search for a block similar to the following. This is the default configuration.

       <!-- session config -->
       <session-config>
           <session-timeout>300</session-timeout>
       </session-config>

4. Adjust this configuration as follows.

       <!-- session config -->
   	<session-config>
           <session-timeout>480</session-timeout>
           <tracking-mode>COOKIE</tracking-mode>
           <cookie-config> 
             <max-age>28800</max-age> 
           </cookie-config>
       </session-config>

5. Edit <jira-install>/atlassian-jira/WEB-INF/classes/seraph-config.xml and add the following initialization parameter.

            <!-- This property sets the default remember me cookie max age in seconds. It is currently set to 8 hours -->
           <init-param>
               <param-name>autologin.cookie.age</param-name>
               <param-value>28800</param-value>
           </init-param> 

6. Restart Jira to apply the changes. A rolling restart is enough, so you won't have a full downtime.

If you're running Jira on a cluster, apply the changes on every node.

Additional details

If you're looking for a similar document for other Atlassian products, check the following articles:

• Bamboo: How to change Bamboo user session timeout
• Bitbucket: How do I change the default session timeout
• Confluence: How to adjust the session timeout for Confluence

Possible causes if the changes you made doesn't work

1. There is a known issue that the set timeout might be changed by the Atlassian Bot Session Killer, as described here.
   
   If that happens, you should first disable the bot and then change the session again. Refer to When using a third-party authenticator, user sessions may terminate earlier than expected when idle for additional details.
   
   If you're running multiple Atlassian applications on the same server, Jira users may still get consistently logged out. In this case, you should try to change the context path according to the Logging into Another Atlassian Application Logs Me Out of Confluence.
   
    Also, check the following tickets for more details:
   
   JRA-60844 - Getting issue details... STATUS
   JRASERVER-73080 - Getting issue details... STATUS
2. It is possible for 3rd party apps to interfere with this behavior. You can temporarily enable Safe Mode (disables all installed apps) and check if the behaviour persists to confirm if this applies to you: Disabling and enabling apps \- Disabling or enabling all apps (using Safe Mode)
3. You have modified your Jira's seraph-config.xml file.
   Modification to this file is normally done for custom SSO implementation. Custom SSO implementation may have their own timeout configuration which interfere with Jira's default timeout settings. To overcome this, you will have to either
   1. Disable the custom SSO by reverting the changes you made to seraph-config.xml; OR
   2. Configure the timeout in your SSO application. For example, if you are using Crowd SSO, you can configure the session timeout based on this documentation: Crowd - Session configuration