Problem Definition

• If a user customizes the session timeout as per How to change the default session timeout, these changes are not reflected on the User Sessions page.
• The session is not destroyed checking the atlassian-jira-security.log and the user does not get logged out, however on the User Sessions page, the session is removed after 4 hours.
• If the user is idle for more than 4 hours, the session disappears from the User Session page but does not get logged out.
• If a user becomes active again after more than 4 hours, their session re-appears on the User Session page and will stay there until it has been idle for more than 4 hours again.
• The missing functionality is not limited to a customized JIRA timeout, but also to standard JIRA session timeout

Note: Initially this bug was thought to remove the actual user session from Tomcat and logging the user out, which multiple of the early comments are about. This was found to be separate bug with the Atlassian Bot Killer plugin which mistook regular sessions for bots and killed their sessions after 1 hour regardless of the session timeout value, https://jira.atlassian.com/browse/JRASERVER-70574. This bug was fixed in Jira 8.5.6.
The Title has been updated to reflect this.

Steps to reproduce

1. Create 'test' user and log in as this user
2. Open http://JIRA_HOSTNAME/secure/admin/CurrentUsersList.jspa as admin in another browser and you will see the 'test' user's session.
3. Close the 'test' user session's window (to avoid AJAX requests)
4. Set the system clock forward by 4h1m.
5. Reload http://[JIRA_HOSTNAME]/secure/admin/CurrentUsersList.jspa and the 'test' user's session will not be listed.
6. Open the 'test' user window again. Session is still active and you do not need to log in.
7. Reload http://[JIRA_HOSTNAME]/secure/admin/CurrentUsersList.jspaand the 'test' user's session is back in the list.