We recently upgraded from Confluence 3.5.9 to 4.3.3.
Since then, some users reported some unexpected differences between the two versions with regards to timeout times. In 3.5.9, users were punted back to the login screen after a period of inactivity (I'm not sure what, but I'm thinking somewhere in the order of hours). As of 4.3.3, users are not getting automatically logged out.
In my mind, this is a great convenience feature as users are not forced to log in multiple times throughout the day, but conversely, some users are concerned about security (eg. If they forget to manually logout, could someone else sit down at their machine and hijack their session).
All I'm really looking to find out is what, if anything, changed between these versions that could trigger something different with regards to timeout times. I see that the JSESSIONID cookie expires At end of session, did this used to be something different like 1 hour after creation perhaps?
I checked my web.xml file and have the following config there (which I believe is an Atlassian default):
I'm not sure if that is applicable to this situation or not.
The old session-timeout parameter was not being respected because the Notification plugin (workbox) polled Confluence every 30 seconds, essentially cancelling out the timeout:
We are going to wait for a bug fix.
I would take a look at https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597. I think this is what you're looking to update. It could have a new default in the newer version.
Just for our community to know, that's indeed a bug. We'll have to vote on the bug report, that way our Dev team can see it, and then fix it.
We don't have an ETA for it right now, but please add yourself as a watcher in the ticket, that way our team will keep you updated.
There is a comment
By disabling the Notifications and Tasks plugins (there are three, located in the System Plugins section of Installed Plugins), the call will stop, and session invalidation will work as expected.
what will be the side effects? Will users still be informed if changes are made to pages?
The "Notifications and Tasks" plugins are specifically about this:
In short, it's related to the new "workbox", which consolidates Confluence page watches, shares, mentions, and tasks (JIRA issues, too, if they're linked). Assuming you had been receiving page change notifications via email before Atlassian included the workbox feature, you should still get the email notifications. Disabling the plugins just prevents you from seeing the workbox and using the new social features (e.g. @mentions).
With the plugins enabled and the workbox polling every 30 seconds, it effectively keeps your login session open indefinitely. In the enterprise, this is a security 101 issue, because any session timeout you set in either web.xml file will be ignored.
An enterprise customer needing to enforce a session timeout (true for many enterprise customers) will be unable to use the workbox, @mentions, or any other features requiring these plugins. This is a major bug. Until Atlassian fixes this, many enterprise customers will be unable to use these new features.
Greetings! If you've landed on this thread, you're likely new to the Atlassian Community, and we're very glad you're here. This is a great space to introduce yourself and offer up&...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs