Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configure maximum lifetime of session in JIRA

Jeffrey Shank
Jeffrey Shank October 29, 2012

A client of ours has some very strict IT security rules for vendor systems that will contain sensitive data. One such rule is that a user may not be logged in for more than 10 hours without re-authenticating, regardless of activity.

I believe this is different from session-timeout in web.xml which seems to deal with inactivity timeouts.

Can you please help me understand how I can meet this requirement, if possible?

Answer
Watch
Like Be the first to like this
5638 views

2 answers

1 accepted

2 votes
Answer accepted
Sunil Pothiredd2
Sunil Pothireddy [Intel] June 30, 2014

Thanks Jeff for getting back....

The issue with the above method is session-timeout overrides the value mentioned in autologin.cookie.age, so if the user has a dashboard which refreshes
every 5 minutes then in that case this setting wont work....

I figured out the answer somehow.....

Under web.xml adding the following code 

<!-- session config -->
    <session-config>
        <session-timeout>300</session-timeout>
         <cookie-config>
        <max-age>
         36000
        </max-age>
      </cookie-config>
    </session-config>

I have set max-age cookie of 10hours....By this way you are forcing JIRA users to logout after 10hrs even though their is some activity in the last couple of minutes...

Hope this helps ....

Thanks,

Sunil Pothireddy

View More Comments
Jeffrey Shank
Jeffrey Shank July 6, 2014

Thanks for discovering this!

Like
VitaliiT
VitaliiT March 2, 2017

Thank you, Sunil!

I had to debug session expiration in my iOS app. Setting <max-age> and <session-timeout> to 60 seconds worked great for this purpose. You are awesome.

Like
Reply
0 votes
LucasA
LucasA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 29, 2012

Hello,

The JIRA authentication in browser is determined by a cookie, so you can set its timeout in $JIRA_INSTALL/WEB-INF/classes/seraph-config.xml -- please look for the following parameters:

&lt;!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 weeks --&gt;
        &lt;init-param&gt;
            &lt;param-name&gt;autologin.cookie.age&lt;/param-name&gt;
            &lt;param-value&gt;1209600&lt;/param-value&gt;
        &lt;/init-param&gt;

1209600 seconds means 14 days, but you can set it to 864000 (10 hours). Please remember to restart JIRA after that.

I hope it helps!

Best regards,
Lucas Timm

View More Comments
Jeffrey Shank
Jeffrey Shank November 3, 2012

I tested this and autologin.cookie.age controls the lifetime of the cookie set when the user checks Remember My Login. This isn't quite enough to meet the requirement because as long as the session remains active the user won't be forced to re-authenticate even after the seraph.rememberme.cookie cookie expires.

It is almost like I need the login session cookie to have a timeout of 10 hours instead of session.

Like
Sunil Pothiredd2
Sunil Pothireddy [Intel] June 27, 2014

Any luck @ Jeffrey Shank

I need to set something similar... Please let me know if you could find any work around for this ?

Like
Jeffrey Shank
Jeffrey Shank June 27, 2014

I never found a work around. We had to get an exception from the client on this security requirement.

Like
Gabriel Brussa
Gabriel Brussa June 29, 2014

Jeff, take a look at this link as this is probably what you're looking for.
https://confluence.atlassian.com/display/JIRA/Changing+the+default+session+timeout

**Edit: will not log them out regardless of activity but will ensure they're logged out after that inactivity period.

Like
Jeffrey Shank
Jeffrey Shank June 29, 2014

I used the method from that article to deal with the inactivity timeout requirement. I'm still seeking an answer for limiting the max lifetime of a session, independent of activity.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events