Auto-logout times changed?

We recently upgraded from Confluence 3.5.9 to 4.3.3.

Since then, some users reported some unexpected differences between the two versions with regards to timeout times. In 3.5.9, users were punted back to the login screen after a period of inactivity (I'm not sure what, but I'm thinking somewhere in the order of hours). As of 4.3.3, users are not getting automatically logged out.

In my mind, this is a great convenience feature as users are not forced to log in multiple times throughout the day, but conversely, some users are concerned about security (eg. If they forget to manually logout, could someone else sit down at their machine and hijack their session).

All I'm really looking to find out is what, if anything, changed between these versions that could trigger something different with regards to timeout times. I see that the JSESSIONID cookie expires At end of session, did this used to be something different like 1 hour after creation perhaps?

I checked my web.xml file and have the following config there (which I believe is an Atlassian default):




I'm not sure if that is applicable to this situation or not.

4 answers

1 accepted

0 votes
Accepted answer

For googlers:

The old session-timeout parameter was not being respected because the Notification plugin (workbox) polled Confluence every 30 seconds, essentially cancelling out the timeout:

We are going to wait for a bug fix.


I would take a look at I think this is what you're looking to update. It could have a new default in the newer version.


Just for our community to know, that's indeed a bug. We'll have to vote on the bug report, that way our Dev team can see it, and then fix it.
We don't have an ETA for it right now, but please add yourself as a watcher in the ticket, that way our team will keep you updated.



There is a comment

By disabling the Notifications and Tasks plugins (there are three, located in the System Plugins section of Installed Plugins), the call will stop, and session invalidation will work as expected.

what will be the side effects? Will users still be informed if changes are made to pages?

The "Notifications and Tasks" plugins are specifically about this:

In short, it's related to the new "workbox", which consolidates Confluence page watches, shares, mentions, and tasks (JIRA issues, too, if they're linked). Assuming you had been receiving page change notifications via email before Atlassian included the workbox feature, you should still get the email notifications. Disabling the plugins just prevents you from seeing the workbox and using the new social features (e.g. @mentions).

With the plugins enabled and the workbox polling every 30 seconds, it effectively keeps your login session open indefinitely. In the enterprise, this is a security 101 issue, because any session timeout you set in either web.xml file will be ignored.

An enterprise customer needing to enforce a session timeout (true for many enterprise customers) will be unable to use the workbox, @mentions, or any other features requiring these plugins. This is a major bug. Until Atlassian fixes this, many enterprise customers will be unable to use these new features.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Thursday in Agile

How Scrum works? It starts with training and education

To answer “How scrum works,” most of the teams I've worked with first addressed the question: “where to start?”  That question applies to both implementation and improvements on the Scrum framew...

195 views 3 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you