Increase session timeout for the new app "Confluence Server"

Florian S July 23, 2018

Hello,

What's the disadvantage if I increase the timeout from 60 minutes to 600 minutes, for example?Can I do that worry-free ?

Background: We would like to use the new app "Confluence Server" without much logouts.

https://confluence.atlassian.com/confkb/how-to-adjust-the-session-timeout-for-confluence-126910597.html

Best Regards
Florian

1 answer

1 accepted

0 votes
Answer accepted
MoroSystems Support
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 23, 2018

Hello Florian,

 

 that's probably what "Remember Me" function is for, when logging in. I would say that automatic logout is more like secure function. If you click on "Remember Me", Confluence should not log you out, until your session or cookies are valid.

 

Regards,

František Špaček.

Florian S July 25, 2018

Hello František,

Thank you for the feedback.
What exactly is the function "remember me"?
Where can I find these?

We use SAML (SingleSignOn). Maybe this function does not exist at all with us.

Best Regards
Florian

MoroSystems Support
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 26, 2018

Hello Florian,

 

 the "remember me" function in login form. Do you use Confluence login form, or do you have some kind of other login form outside Confluence?

 

image.png

 

If you use this function, it should saves a cookie into your browser and everytime you access the Confluence it check for this cookie and you should stay logged in (till cookie is invalidated). That will make your users stay logged in without logouts and you can still maintain 60 minutes timeout time. Timeout is applied, when user stops using the application. So if you return after more then 60 minutes, it checks for your session (which is expired), but if you use Remember me function, it will validate the cookie and log you in automatically, so user won't notice. If this is not the case or not an answer, I am sorry if I got you wrong.

 

Anyway - about increasing the default timeout - it really depends on lots of things. The biggest disadvantage of that lies at security breaches. It depends on many things - like if the app is hidden behind VPN, what data you store on confluence (or will store), how bad will security breach affect your bussines and so on. In general, some high risk apps have session timeout set to 2 - 3 minutes, so if you don't touch the app for short time, you need to validate again. It is mostly up to you, what time you set for this, it should not affect much on server side. This is rather a security feature.

Florian S July 26, 2018

Many Thanks.
We do not currently use the standard login form.

The assessment and the description helped me a lot.
We will check our Security Requirements.

MoroSystems Support
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 26, 2018

No problems, I was happy to help!

 

You can check other cool discussions about it for example here:

https://security.stackexchange.com/questions/106786/how-long-should-a-session-absolute-timeout-be

 

Have a nice day.

Regards,

František Špaček

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events