Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-26796

Session-timeout not being respected

XMLWordPrintable

      As per the following KB I made changes that should have seen timeout reduced to 2 minutes.

      https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597

      in <confluence_install>/confluence/WEB-INF/web.xml

      <session-config>
  <session-timeout>2</session-timeout>
</session-config>

      I can't force Confluence to have a session timeout.

      This issue has been reproduced on first a customers, my and then another engineers instance.

      Workaround:

      Disable all the 'Notifications' plugins that are in the Browse > Confluence Admin > Manage addons or Plugins click on 'Show System Plugins', next to the 'System Plugins'.

      • Notifications and Tasks - Common Plugin
      • Notifications and Tasks - Confluence Provider Plugin
      • Notifications and Tasks - Host Plugin

      Additionally, you will also need to disable the Confluence Quick Reload Plugin as well, to prevent calls to /rest/quickreload/ which is triggered around every 20 seconds

          Form Name

            [CONFSERVER-26796] Session-timeout not being respected

            Steve Haffenden (Inactive) added a comment -

            Hi icyoo

            Thanks for getting in touch. Because this is not a critical issue we won't be providing a patch for older versions of Confluence. For more information on our patch policy please read https://confluence.atlassian.com/display/Support/Atlassian+Patch+Policy.

            Regards
            Steve Haffenden
            Confluence Bugmaster
            Atlassian

            Steve Haffenden (Inactive) added a comment - Hi icyoo Thanks for getting in touch. Because this is not a critical issue we won't be providing a patch for older versions of Confluence. For more information on our patch policy please read https://confluence.atlassian.com/display/Support/Atlassian+Patch+Policy . Regards Steve Haffenden Confluence Bugmaster Atlassian

            Yoo InChul added a comment -

            Is there any patch for Confluence 5.1.x versions ?

            Thanks.

            Yoo InChul added a comment - Is there any patch for Confluence 5.1.x versions ? Thanks.

            Issac Gerges (Inactive) added a comment - - edited

            Hi all. We've implemented a fix that will prevent quick-reload and work box from prolonging the users session (which targets Confluence 5.4). As we mentioned above, both the comment editor and draft actions will continue to prolong the session by default. If desired, those urls can be manually added to the timeout filter's urlPatternsToExclude to prevent them from prolonging the session as well.

            Issac Gerges (Inactive) added a comment - - edited Hi all. We've implemented a fix that will prevent quick-reload and work box from prolonging the users session (which targets Confluence 5.4). As we mentioned above, both the comment editor and draft actions will continue to prolong the session by default. If desired, those urls can be manually added to the timeout filter's urlPatternsToExclude to prevent them from prolonging the session as well.

            Issac Gerges (Inactive) added a comment -

            As comments do not have drafts, we don't plan to prevent the comment editor heartbeat action from prolonging the session (until CONF-12978 is implemented).

            The draft action (preventing the session from expiring when a user is editing a page) will also continue to prolong the session to prevent losing content.

            Issac Gerges (Inactive) added a comment - As comments do not have drafts, we don't plan to prevent the comment editor heartbeat action from prolonging the session (until CONF-12978 is implemented). The draft action (preventing the session from expiring when a user is editing a page) will also continue to prolong the session to prevent losing content.

            Richard Atkins added a comment -

            There's one additional endpoint that can keep sessions alive:

            • /rest/mywork/latest/status/notification/count (although I can't readily determine the refresh interval right now)

            Richard Atkins added a comment - There's one additional endpoint that can keep sessions alive: /rest/mywork/latest/status/notification/count (although I can't readily determine the refresh interval right now)

            Sergey Svishchev added a comment -

            There are other plugins and features that can keep sessions alive.

            • Heartbeat – /json/startheartbeatactivity.action and /json/heartbeat.action every 30 seconds (hardcoded in the source) – CONF-29749
            • Quick Reload plugin – /rest/quickreload/... every 20 seconds
            • Draft save interval – /rest/tinymce/1/drafts (configurable, but default is 30 seconds)

            Sergey Svishchev added a comment - There are other plugins and features that can keep sessions alive. Heartbeat – /json/startheartbeatactivity.action and /json/heartbeat.action every 30 seconds (hardcoded in the source) – CONF-29749 Quick Reload plugin – /rest/quickreload/... every 20 seconds Draft save interval – /rest/tinymce/1/drafts (configurable, but default is 30 seconds)

            Dru G added a comment -

            Confirmed that this is still an issue with 5.1.2.

            Dru G added a comment - Confirmed that this is still an issue with 5.1.2.

            NCIS added a comment - - edited

            The session timeout issue exists in all Confluence versions 4.3 to 5.1, because of the three Notifications and Tasks plugins. Those plugins keep the session alive constantly so that specifying a session timeout in the web.xml file is meaningless.

            Additionally, if you have other Atlassian applications linked to Confluence versions 4.3-5.1 and using SSO, having these plugins enabled will cause all of those applications to never time out their login session. From a security perspective, this seems like a huge oversight.

            Disabling the plugins restores the session timeout, but it removes the notification tray and in-app notifications.

            Does Atlassian expect to fix this, so that customers with a session timeout requirement will be able to use the notification tray and in-app notifications?

            NCIS added a comment - - edited The session timeout issue exists in all Confluence versions 4.3 to 5.1, because of the three Notifications and Tasks plugins. Those plugins keep the session alive constantly so that specifying a session timeout in the web.xml file is meaningless. Additionally, if you have other Atlassian applications linked to Confluence versions 4.3-5.1 and using SSO, having these plugins enabled will cause all of those applications to never time out their login session. From a security perspective, this seems like a huge oversight. Disabling the plugins restores the session timeout, but it removes the notification tray and in-app notifications. Does Atlassian expect to fix this, so that customers with a session timeout requirement will be able to use the notification tray and in-app notifications?

            Riada added a comment -

            I've been able to reproduce this erroneous behaviour with Confluence 4.3.5 and Firefox version 15.0 and higher.
            Even after putting your client computer in standby mode for many hours, you can still continue to work in Confluence after startup without being forced to login again. It seems to work as expected in Chrome and IE9 though.

            Riada added a comment - I've been able to reproduce this erroneous behaviour with Confluence 4.3.5 and Firefox version 15.0 and higher. Even after putting your client computer in standby mode for many hours, you can still continue to work in Confluence after startup without being forced to login again. It seems to work as expected in Chrome and IE9 though.

            Adam Laskowski (Inactive) added a comment -

            If your session timeout is not being respected in a version prior to 4.3, you may be editing the wrong web.xml. Tomcat has a default web.xml in <confluence-isntall>/conf/web.xml that applies default settings to sites that don't specify their own values. Confluence's web.xml has a session timeout declared in <confluence-install>/confluence/WEB-INF/ that will override the Tomcat default web.xml settings. Edit the latter file for the changes to take effect.

            Adam Laskowski (Inactive) added a comment - If your session timeout is not being respected in a version prior to 4.3, you may be editing the wrong web.xml. Tomcat has a default web.xml in <confluence-isntall>/conf/web.xml that applies default settings to sites that don't specify their own values. Confluence's web.xml has a session timeout declared in <confluence-install>/confluence/WEB-INF/ that will override the Tomcat default web.xml settings. Edit the latter file for the changes to take effect.

              igerges Issac Gerges (Inactive)
              dborcherding DanielA
              Affected customers:
              20 This affects my team
              Watchers:
              40 Start watching this issue

                Created:
                Updated:
                Resolved: