It's the Idle Session Duration option under your authentication policies. Edit a specific policy and the option is there.

https://support.atlassian.com/security-and-access-policies/docs/edit-authentication-settings-and-members/

Can someone provide a specific link for this option? I cannot find it even with Org Admin privileges. 

Also, would this setting apply for customers that access our service portal (e.g Knowledgebase)?

Thanks,

Abdi

Thanks for clarifying, Katherine and Esther!

Is there a process to become an organization Admin? Or is that reserved for a specific group of users?

Thanks,

Abdi Sheikh

Thanks for providing those instructions, esther.strom! 

89ae77b38f11 this feature is only accessible to organization admins. If you aren't seeing that option it's likely that you are a product or site admin for your team. 

I don't know, Abdi - that's where I see it in our instance. Maybe it hasn't rolled out to all customers yet? You may need to contact Atlassian support.

Abdi, it takes some looking. In our instance, from the Admin page, it's under Organization -> Security -> Session Duration.

Hello Katherine! I'm checking in to see if this change has been implemented? I don't see the option on Admin Atlassian page. 

Thanks,

Abdi

Hi everyone,
We're excited to share that this feature is starting to roll out this week! From the Session duration page on admin.atlassian.com, you can now specify the length of time managed accounts can be idle before they’re logged out of Jira and Confluence.

Thanks for continuing to share your feedback, and you can expect to see this feature available for your organization over the next week. (Don't worry if you don't see it yet - it will appear very soon!)

I've recently come across a challenge in our organization that I'm fairly confident this resolution would solve. Is there any update on if this feature will be added? It would be a big help to our organization

Come on guys.  I know it's only been 6 years, but can we got somewhere on this?  It's industry standard and best practice to have logins timeout.  We do have to worry about security you know...

Shorter timeouts seem like a solution, but I think it would be a workaround. Hackers still can use this to gain access. More robust are solutions like Recovery Codes (very common, see Google, Dropbox). They are a kind of hassle for normal users, so I would suggest to only have Recovery Codes for admins. Non-admin users can request a password reset from an admin.
Best, Léon Tebbens
Solution Architect @ Alliander.com

Some users bypass login in to our corporate SAML2, by using the Forgot Password link. Because the session doesn't expire for weeks (months) they never have to login in. This invalidates two-factor and is a BIG SECURITY ISSUE

We'd love an update on this one. This feature is pretty important to us.

Agree with Esther.  Why have MFA if I can't time out my users?  This is a major missing piece.

The entire point of two-factor is security. If we're paying extra for managed accounts so we can use two-factor, but our users aren't actually required to log out at a specified interval, that invalidates two-factor, which means we no longer have a reason to pay Atlassian extra for those accounts. Something to consider if the bottom line is your priority.

I've noticed this behavior on both my desktop and phone.  Apps like this should always log out on close.

+1

Being able to configure a timeout interval is an important feature for customers who need to certify NIST 800-171 compliance for cloud computing systems. This should be anyone doing business with the US DoD.

We're using the IE 11 browser and even while active in the middle of any Jira operation we'll encounter a sudden jarbling of our screens, we have to press F5, we have open another window, we sometimes receive a java scripting error.  It would be nice to know what the time out setting is set to if using an on demand instance. It would be nice not to be logged out as inactive even while performing basic operations in Jira and it's not close to 5 minutes.

bump

Do we have any update over here?

I want to describe my issue to make sure it's the same thing that's reported in this ticket.  Every time I close my browser and reopen it, I have to log back in to JIRA - even if I logged in 60 seconds ago.  We're on Windows 7 using IE 11 (I know, I know).

Example:  My browser is closed.  I get an email in Outlook about a defect in Jira.  I click the link, my browser opens and I have to log in to JIRA to see the defect.  If I close my browser, go back to that email and click the link again I have to log in to JIRA again even though I just logged in less than a minute ago.  If I keep my browser open I stay logged in.  A long as I don't close my browser I could open links from multiple emails without having to log in every time.

Does this ticket represent what I'm describing or should I open another item to track it?

@pives, looks like this issue can possibly be solved by changing your password or username. Last week they diagnosed this problem as a 3rd party login that was breaking my session. We couldn't track down what was logging is as me externally, so I changed my credentials and that resolved the issue. (Now the hunt is on for what is now going to be logged out.)

bump... even with my password manager log outs are insanely often for my secured computer.

Any word on this? Apparently this ticket has been open for some time.

We're currently getting logged out after less than 5 minutes of activity in both Firefox and Chrome. This is only happening with our JIRA account, and no other sites.

(watching)

Any update please?