Issue Summary

The 'remember me' checkbox is hidden and automatically checked on a DC cluster. The user by default has a 2 week session even on an untrusted device. It will be nice to allow the admins to enforce, show or disable remember me feature.

Steps to Reproduce

1. Set up a Confluence DC cluster
2. Go to login form

Expected Results

The user should be able to choose a short session on a public machine.

Actual Results

There 'remember me' checkbox is hidden and automatically checked.

Workaround

Enforce and hide 'remember me':

This behaviour is enforced on a DC cluster. End users by default have a shared Seraph long session between nodes.

1. Stop Confluence
2. Go to Confluence installation directory
3. Locate the <CONFLUENCE-INSTALLATION>/confluence/login.vm file and make a backup copy
4. Edit the file
5. Locate the following section of code:

   #if ($action.shouldRememberMeCheckboxBeOmitted())
       <input type="hidden" name="os_cookie" value="true"/>
   #else
       #bodytag( "Component" "label='remember.accesskey'" "name='os_cookie'" "value='false'" "theme='aui'" "template='onofflist.vm'") #end
   #end
   

1. Modify the above code as follows

   <input type="hidden" name="os_cookie" value="true"/> 
   

1. Save the file and restart Confluence
2. Repeat the above steps each time you install a new version of Confluence

Show 'remember me':

The is the default behaviour in a non-clustered instance. This allows the end user to decide to have a Tomcat short session or Seraph long session but the user may need to login in again when hitting a new node.

• Set System Property "cluster.login.rememberme.enabled" to true
• This system property has no effect in standalone Confluence.

Disable and hide 'remember me':

Disable the automatic remember me on DC clusters, this allows the end user to decide to have a Tomcat short session or Seraph long session but the user may need to login in again on a new node.

1. Stop Confluence
2. Go to Confluence installation directory
3. Locate the <CONFLUENCE-INSTALLATION>/confluence/login.vm file and make a backup copy
4. Edit the file
5. Locate the following section of code:

   #if ($action.shouldRememberMeCheckboxBeOmitted())
       <input type="hidden" name="os_cookie" value="true"/>
   #else
       #bodytag( "Component" "label='remember.accesskey'" "name='os_cookie'" "value='false'" "theme='aui'" "template='onofflist.vm'") #end
   #end
   

1. Modify the above code as follows

   <input type="hidden" name="os_cookie" value="false"/> 
   

1. Save the file and restart Confluence
2. Repeat the above steps each time you install a new version of Confluence

Note: 

Bitbucket Server has implemented it already https://confluence.atlassian.com/bitbucketserver/configuration-properties-776640155.html

Controls whether remember-me authentication is disabled, always performed or only performed when a checkbox is checked on the login form. The 'Remember my login' checkbox is only displayed when set to 'optional'. Possible values are:

• always

No checkbox, remember-me cookie is always generated on successful login.

• optional

Checkbox is displayed on login form. Remember-me cookie is only generated when checkbox is checked.

• never

Remember-me authentication is disabled completely.