JIRA admin session prompt is asking to re-authenticate to frequently

RS May 22, 2013

When I'm logged in as a JIRA admin user and I try to do something "adminey" I get a pop-up with:

"If you were sent to this page from a link obtained from an untrusted source please proceed with caution or validate the link source before continuing."

"You have requested access to an administrative function in JIRA and are required to validate your credentials below."

...asking me to re-authenticate.

It wouldn't be a problem if the re-authenticate session timeout were long enough, but it's only a few seconds. I am constantly presented with that pop-up for each admin action.

After some digging I found this:

https://confluence.atlassian.com/display/JIRA044/Configuring+Secure+Administrator+Sessions

I'm confused because the default timeout is suppose to be 10 minutes and I'm seeing around 10 seconds. Has anyone seen this before?

Info:

Using jira-5.2.9 with Crowd SSO on the same Linux box running in seperate JREs

2 answers

1 accepted

0 votes
Answer accepted
Zul NS _Atlassian_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 22, 2013

This is more towards the Secure Administrators Sessions instead of the timeout session for administrators. As quoted

password confirmation before accessing administration functions

RS May 22, 2013

That's the same article I'm referring too. It's not the fact that JIRA propts for a secure session that's a problem, it's the session timeout. From the article:

"The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the JIRA administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into JIRA). If the administrator does click an administration function, the timeout will reset."

It seems like my rolling timeout is only about 10 seconds, if that. Before I go creating the jira-config.properties file and overriding the default timeout I'd like to understand why I'm not seeing the documented default timout of 10 minutes.

Zul NS _Atlassian_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 22, 2013

I got what you mean now, thanks for the explanation. I tried to do a couple of test, (although I do have the problem previously) I can't reproduce. :( The jira-config.properties did work during my testing for jira.websudo.is.disabled = true

RS May 23, 2013

I created the file jira-config.properties in the jira home directory and added the line

jira.websudo.is.disabled = true

After restarting JIRA I do not get the JIRA secure sessions pop-up anymore.

I wish I knew why the 10 minute default sesstion timeout was not working though.

Thanks for the help

Justin Leader
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 26, 2014

I agree that I see this kind of behavior in JIRA installs big and small.

Manuel Ruiz March 4, 2014

We are having the same problem.

Kevin Mote
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 25, 2014
6 votes
Azfar Masut February 3, 2016

When multiple applications are configured on the same domain with separate ports, users will be constantly logged out of each application as the {{SESSION_COOKIE_NAME}} is identical.

This is due to the Tomcat configuration. Please alter the default bundled Tomcat 7 config so that it has a unique JIRA session cookie by modifying the {{$JIRA_INSTALL/conf/context.xml}} to the following (or something similar):

{code:xml}
<Context sessionCookieName ="JIRASESSIONID">
{code}

This will prevent users from getting into this problem in the first place.

Additional workarounds can be found within User is Constantly Logged out of JIRA.

Suggest an answer

Log in or Sign up to answer