Configure maximum lifetime of session in JIRA

A client of ours has some very strict IT security rules for vendor systems that will contain sensitive data. One such rule is that a user may not be logged in for more than 10 hours without re-authenticating, regardless of activity.

I believe this is different from session-timeout in web.xml which seems to deal with inactivity timeouts.

Can you please help me understand how I can meet this requirement, if possible?

2 answers

1 accepted

Thanks Jeff for getting back....

The issue with the above method is session-timeout overrides the value mentioned in autologin.cookie.age, so if the user has a dashboard which refreshes
every 5 minutes then in that case this setting wont work....

I figured out the answer somehow.....

Under web.xml adding the following code

<!-- session config -->
    <session-config>
        <session-timeout>300</session-timeout>
         <cookie-config>
        <max-age>
         36000
        </max-age>
      </cookie-config>
    </session-config>

I have set max-age cookie of 10hours....By this way you are forcing JIRA users to logout after 10hrs even though their is some activity in the last couple of minutes...

Hope this helps ....

Thanks,

Sunil Pothireddy

Thanks for discovering this!

Thank you, Sunil!

I had to debug session expiration in my iOS app. Setting <max-age> and <session-timeout> to 60 seconds worked great for this purpose. You are awesome.

Hello,

The JIRA authentication in browser is determined by a cookie, so you can set its timeout in $JIRA_INSTALL/WEB-INF/classes/seraph-config.xml -- please look for the following parameters:

&lt;!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 weeks --&gt;
        &lt;init-param&gt;
            &lt;param-name&gt;autologin.cookie.age&lt;/param-name&gt;
            &lt;param-value&gt;1209600&lt;/param-value&gt;
        &lt;/init-param&gt;

1209600 seconds means 14 days, but you can set it to 864000 (10 hours). Please remember to restart JIRA after that.

I hope it helps!

Best regards,
Lucas Timm

I tested this and autologin.cookie.age controls the lifetime of the cookie set when the user checks Remember My Login. This isn't quite enough to meet the requirement because as long as the session remains active the user won't be forced to re-authenticate even after the seraph.rememberme.cookie cookie expires.

It is almost like I need the login session cookie to have a timeout of 10 hours instead of session.

Any luck @ Jeffrey Shank

I need to set something similar... Please let me know if you could find any work around for this ?

I never found a work around. We had to get an exception from the client on this security requirement.

Jeff, take a look at this link as this is probably what you're looking for.
https://confluence.atlassian.com/display/JIRA/Changing+the+default+session+timeout

**Edit: will not log them out regardless of activity but will ensure they're logged out after that inactivity period.

I used the method from that article to deal with the inactivity timeout requirement. I'm still seeking an answer for limiting the max lifetime of a session, independent of activity.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

26,884 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you