Auto-logout times changed?

WSST January 21, 2013

We recently upgraded from Confluence 3.5.9 to 4.3.3.

Since then, some users reported some unexpected differences between the two versions with regards to timeout times. In 3.5.9, users were punted back to the login screen after a period of inactivity (I'm not sure what, but I'm thinking somewhere in the order of hours). As of 4.3.3, users are not getting automatically logged out.

In my mind, this is a great convenience feature as users are not forced to log in multiple times throughout the day, but conversely, some users are concerned about security (eg. If they forget to manually logout, could someone else sit down at their machine and hijack their session).

All I'm really looking to find out is what, if anything, changed between these versions that could trigger something different with regards to timeout times. I see that the JSESSIONID cookie expires At end of session, did this used to be something different like 1 hour after creation perhaps?

I checked my web.xml file and have the following config there (which I believe is an Atlassian default):

<session-config>

<session-timeout>60</session-timeout>

</session-config>

I'm not sure if that is applicable to this situation or not.

4 answers

1 accepted

0 votes
Answer accepted
WSST January 27, 2013

For googlers:

The old session-timeout parameter was not being respected because the Notification plugin (workbox) polled Confluence every 30 seconds, essentially cancelling out the timeout:

https://jira.atlassian.com/browse/CONF-26796

We are going to wait for a bug fix.

0 votes
NCIS March 27, 2013

The "Notifications and Tasks" plugins are specifically about this:

https://confluence.atlassian.com/display/DOC/Managing+Notifications+in+Confluence

In short, it's related to the new "workbox", which consolidates Confluence page watches, shares, mentions, and tasks (JIRA issues, too, if they're linked). Assuming you had been receiving page change notifications via email before Atlassian included the workbox feature, you should still get the email notifications. Disabling the plugins just prevents you from seeing the workbox and using the new social features (e.g. @mentions).

With the plugins enabled and the workbox polling every 30 seconds, it effectively keeps your login session open indefinitely. In the enterprise, this is a security 101 issue, because any session timeout you set in either web.xml file will be ignored.

An enterprise customer needing to enforce a session timeout (true for many enterprise customers) will be unable to use the workbox, @mentions, or any other features requiring these plugins. This is a major bug. Until Atlassian fixes this, many enterprise customers will be unable to use these new features.

0 votes
William Zanchet [Atlassian]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 29, 2013

Hey,

Just for our community to know, that's indeed a bug. We'll have to vote on the bug report, that way our Dev team can see it, and then fix it.
We don't have an ETA for it right now, but please add yourself as a watcher in the ticket, that way our team will keep you updated.

Cheers,

WZ

Bruce Schlueter February 7, 2013

There is a comment

By disabling the Notifications and Tasks plugins (there are three, located in the System Plugins section of Installed Plugins), the call will stop, and session invalidation will work as expected.

what will be the side effects? Will users still be informed if changes are made to pages?

0 votes
Jason Brison
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 21, 2013

Hi WSST,

I would take a look at https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597. I think this is what you're looking to update. It could have a new default in the newer version.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events