Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-54142

Session Timeout not respected in Confluence in Tomcat web.xml file


    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Highest Highest
    • None
    • 5.10.8, 6.1.0, 6.2.2, 6.2.4, 6.3.4, 6.15.2, 7.11.0

      Appears related to : CONFSERVER-40129 - Session timeout never occurred in Data Center.


      Session timeout never occurs in Confluence as configured within the <confluence-install>/confluence/WEB-INF/web.xml file as it should as documented within How to adjust the session timeout for Confluence

      Aside from Confluence Data Center, This has also been confirmed to affect Confluence server standalone.

      Steps to Reproduce

      1. Stop Confluence
      2. Change <confluence_install>/confluence/WEB-INF/web.xml on each node as follows (Set session-timeout to 1 min):
      1. Start Confluence

      Expected Results

      Session timeout should occur in 1 minute within the user session/web browser.

      Actual Results

      Session timeout never occurs, and the user remains logged into the application.


      Option 1:

      Configure the maximum age of the 'remember me' cookie per: Confluence Cookies by the following methods:

      1. Edit <confluence_install>/confluence/WEB-INF/classes/seraph-config.xml and add:
        <!-- session-timeout remember-me cookie timer -->
        	<param-value>1800</param-value><!-- 30 minutes in seconds -->
      1. Implementing this on all nodes, then restarting the whole cluster seems to force the session-timeout to work as expected.

      Option 2:

      Disable the automatic remember me on DC clusters, this allows the end user to decide to have a Tomcat short session or Seraph long session but the user may need to login in again on a new node.

      1. Stop Confluence
      2. Go to Confluence installation directory
      3. Locate the <CONFLUENCE-INSTALLATION>/confluence/login.vm file and make a backup copy
      4. Edit the file
      5. Locate the following section of code:
        #if ($action.shouldRememberMeCheckboxBeOmitted())
            <input type="hidden" name="os_cookie" value="true"/>
            #bodytag( "Component" "label='remember.accesskey'" "name='os_cookie'" "value='false'" "theme='aui'" "template='onofflist.vm'") #end
      1. Modify the above code as follows
        #bodytag( "Component" "label='remember.accesskey'" "name='os_cookie'" "value='false'" "theme='aui'" "template='onofflist.vm'") #end
      1. Save the file and restart Confluence
      2. Repeat the above steps each time you install a new version of Confluence

            zxu2@atlassian.com Zac Xu
            jwyllys Justin W.
            13 Vote for this issue
            33 Start watching this issue