A client of ours has some very strict IT security rules for vendor systems that will contain sensitive data. One such rule is that a user may not be logged in for more than 10 hours without re-authenticating, regardless of activity.
I believe this is different from session-timeout in web.xml which seems to deal with inactivity timeouts.
Can you please help me understand how I can meet this requirement, if possible?
Thanks Jeff for getting back....
The issue with the above method is session-timeout overrides the value mentioned in autologin.cookie.age, so if the user has a dashboard which refreshes
every 5 minutes then in that case this setting wont work....
I figured out the answer somehow.....
Under web.xml adding the following code
<!-- session config --> <session-config> <session-timeout>300</session-timeout> <cookie-config> <max-age> 36000 </max-age> </cookie-config> </session-config>
I have set max-age cookie of 10hours....By this way you are forcing JIRA users to logout after 10hrs even though their is some activity in the last couple of minutes...
Hope this helps ....
The JIRA authentication in browser is determined by a cookie, so you can set its timeout in $JIRA_INSTALL/WEB-INF/classes/seraph-config.xml -- please look for the following parameters:
<!-- This property sets the default remember me cookie max age in seconds. It is currently set to 2 weeks --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>1209600</param-value> </init-param>
1209600 seconds means 14 days, but you can set it to 864000 (10 hours). Please remember to restart JIRA after that.
I hope it helps!
I tested this and autologin.cookie.age controls the lifetime of the cookie set when the user checks Remember My Login. This isn't quite enough to meet the requirement because as long as the session remains active the user won't be forced to re-authenticate even after the seraph.rememberme.cookie cookie expires.
It is almost like I need the login session cookie to have a timeout of 10 hours instead of session.
Jeff, take a look at this link as this is probably what you're looking for.
**Edit: will not log them out regardless of activity but will ensure they're logged out after that inactivity period.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot