Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-60044

If a user has multiple sessions all sessions should be expired on logout

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • User - Management
    • None
    • 3
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Improvement description

      To better comply with the safety standard OWSAP OTG-SESS-006, where it is stated.

      Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of these attacks.

      We should log the user session (JSESSIONID) out in all browsers where it is active.

      In Confluence this is currently achieved with a “session timeout”, when this timeout value is reached all sessions and cookies linked to the the session are expired irrespective of the browser used.

      However this session is only reasonably triggered after some time (without disturbing user experience too much).

      This could be accomplished as described below.

      https://stackoverflow.com/questions/35276554/spring-security-how-to-expire-all-sessions-of-a-user

              Unassigned Unassigned
              wmasters Will Masters (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: