Auto-logout times changed?

We recently upgraded from Confluence 3.5.9 to 4.3.3.

Since then, some users reported some unexpected differences between the two versions with regards to timeout times. In 3.5.9, users were punted back to the login screen after a period of inactivity (I'm not sure what, but I'm thinking somewhere in the order of hours). As of 4.3.3, users are not getting automatically logged out.

In my mind, this is a great convenience feature as users are not forced to log in multiple times throughout the day, but conversely, some users are concerned about security (eg. If they forget to manually logout, could someone else sit down at their machine and hijack their session).

All I'm really looking to find out is what, if anything, changed between these versions that could trigger something different with regards to timeout times. I see that the JSESSIONID cookie expires At end of session, did this used to be something different like 1 hour after creation perhaps?

I checked my web.xml file and have the following config there (which I believe is an Atlassian default):

<session-config>

<session-timeout>60</session-timeout>

</session-config>

I'm not sure if that is applicable to this situation or not.

4 answers

1 accepted

This widget could not be displayed.

For googlers:

The old session-timeout parameter was not being respected because the Notification plugin (workbox) polled Confluence every 30 seconds, essentially cancelling out the timeout:

https://jira.atlassian.com/browse/CONF-26796

We are going to wait for a bug fix.

This widget could not be displayed.

Hi WSST,

I would take a look at https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597. I think this is what you're looking to update. It could have a new default in the newer version.

This widget could not be displayed.

Hey,

Just for our community to know, that's indeed a bug. We'll have to vote on the bug report, that way our Dev team can see it, and then fix it.
We don't have an ETA for it right now, but please add yourself as a watcher in the ticket, that way our team will keep you updated.

Cheers,

WZ

There is a comment

By disabling the Notifications and Tasks plugins (there are three, located in the System Plugins section of Installed Plugins), the call will stop, and session invalidation will work as expected.

what will be the side effects? Will users still be informed if changes are made to pages?

This widget could not be displayed.

The "Notifications and Tasks" plugins are specifically about this:

https://confluence.atlassian.com/display/DOC/Managing+Notifications+in+Confluence

In short, it's related to the new "workbox", which consolidates Confluence page watches, shares, mentions, and tasks (JIRA issues, too, if they're linked). Assuming you had been receiving page change notifications via email before Atlassian included the workbox feature, you should still get the email notifications. Disabling the plugins just prevents you from seeing the workbox and using the new social features (e.g. @mentions).

With the plugins enabled and the workbox polling every 30 seconds, it effectively keeps your login session open indefinitely. In the enterprise, this is a security 101 issue, because any session timeout you set in either web.xml file will be ignored.

An enterprise customer needing to enforce a session timeout (true for many enterprise customers) will be unable to use the workbox, @mentions, or any other features requiring these plugins. This is a major bug. Until Atlassian fixes this, many enterprise customers will be unable to use these new features.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted 47m ago in Canada

Topic Tuesday - August 21

Hello and happy Topic Tuesday! We would love to continue to find out more about you. Here’s the question: What is one way Atlassian products have shifted the way your team works? Looking forw...

10 views 2 0
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you