A client of ours has some very strict IT security rules for vendor systems that will contain sensitive data. One such rule is that a user may not be logged in for more than 10 hours without re-authenticating, regardless of activity.
I believe this is different from session-timeout in web.xml which seems to deal with inactivity timeouts.
Can you please help me understand how I can meet this requirement, if possible?
Thanks Jeff for getting back....
The issue with the above method is session-timeout overrides the value mentioned in autologin.cookie.age, so if the user has a dashboard which refreshes
every 5 minutes then in that case this setting wont work....
I figured out the answer somehow.....
Under web.xml adding the following code
<!-- session config --> <session-config> <session-timeout>300</session-timeout> <cookie-config> <max-age> 36000 </max-age> </cookie-config> </session-config>
I have set max-age cookie of 10hours....By this way you are forcing JIRA users to logout after 10hrs even though their is some activity in the last couple of minutes...
Hope this helps ....
The JIRA authentication in browser is determined by a cookie, so you can set its timeout in $JIRA_INSTALL/WEB-INF/classes/seraph-config.xml -- please look for the following parameters:
<!-- This property sets the default remember me cookie max age in seconds. It is currently set to 2 weeks --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>1209600</param-value> </init-param>
1209600 seconds means 14 days, but you can set it to 864000 (10 hours). Please remember to restart JIRA after that.
I hope it helps!
I tested this and autologin.cookie.age controls the lifetime of the cookie set when the user checks Remember My Login. This isn't quite enough to meet the requirement because as long as the session remains active the user won't be forced to re-authenticate even after the seraph.rememberme.cookie cookie expires.
It is almost like I need the login session cookie to have a timeout of 10 hours instead of session.
Jeff, take a look at this link as this is probably what you're looking for.
**Edit: will not log them out regardless of activity but will ensure they're logged out after that inactivity period.
Badges are a great way to show off community activity, whether you’re a newbie or a Champion.Learn more
@Rachel Wright (Jira Genie), @Billy Poggi (AUG NOVA, DC), and @Dana Jansen (Confluence Queen) are just some of the folks that lead one of the world's most active Atlassian User Group (AUG)....
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs