Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-60844

User sessions idle for >4h are removed from the sessions listed on "Current User Sessions in Jira" admin page regardless of the session timeout value

XMLWordPrintable

    • 6.04
    • 128
    • Severity 3 - Minor
    • 39
    • Hide
      Atlassian Update – 25 May 2023

      Hi everyone,

      We have investigated this bug and have edited the scope in the Description as well as the Title to more accurately reflect the impact.

      Reason:
      Initially this bug was thought to remove the actual user session from Tomcat and logging the user out, which many of the early comments are about. This was found to be separate bug with the Atlassian Bot Killer plugin which mistook regular sessions for bots and killed their sessions after 1 hour regardless of the session timeout value, https://jira.atlassian.com/browse/JRASERVER-70574. This bug was fixed in Jira 8.5.6.

      Next steps:
      The bug is pending further review based on the narrowed scope. At the time of this update a decision on a fix has yet to be made. (see the Atlassian Data Center and Server Bug Fix Policy for details on this process)

      If you discover that this bug is having any direct functional impact on your Jira, kindly contact support and provide a more detailed description of the issue. Doing so will enable us to investigate and reevaluate its priority.

      Best regards
      Magnus Karlsson
      Jira Developer

      Show
      Atlassian Update – 25 May 2023 Hi everyone, We have investigated this bug and have edited the scope in the Description as well as the Title to more accurately reflect the impact. Reason: Initially this bug was thought to remove the actual user session from Tomcat and logging the user out, which many of the early comments are about. This was found to be separate bug with the Atlassian Bot Killer plugin which mistook regular sessions for bots and killed their sessions after 1 hour regardless of the session timeout value, https://jira.atlassian.com/browse/JRASERVER-70574 . This bug was fixed in Jira 8.5.6. Next steps: The bug is pending further review based on the narrowed scope. At the time of this update a decision on a fix has yet to be made. (see the Atlassian Data Center and Server Bug Fix Policy for details on this process) If you discover that this bug is having any direct functional impact on your Jira, kindly contact support and provide a more detailed description of the issue. Doing so will enable us to investigate and reevaluate its priority. Best regards Magnus Karlsson Jira Developer

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Problem Definition

      • If a user customizes the session timeout as per How to change the default session timeout, these changes are not reflected on the User Sessions page.
      • The session is not destroyed checking the atlassian-jira-security.log and the user does not get logged out, however on the User Sessions page, the session is removed after 4 hours.
      • If the user is idle for more than 4 hours, the session disappears from the User Session page but does not get logged out.
      • If a user becomes active again after more than 4 hours, their session re-appears on the User Session page and will stay there until it has been idle for more than 4 hours again.
      • The missing functionality is not limited to a customized JIRA timeout, but also to standard JIRA session timeout

       

      Note: Initially this bug was thought to remove the actual user session from Tomcat and logging the user out, which multiple of the early comments are about. This was found to be separate bug with the Atlassian Bot Killer plugin which mistook regular sessions for bots and killed their sessions after 1 hour regardless of the session timeout value, https://jira.atlassian.com/browse/JRASERVER-70574. This bug was fixed in Jira 8.5.6.
      The Title has been updated to reflect this.

      Steps to reproduce

      1. Create 'test' user and log in as this user
      2. Open http://JIRA_HOSTNAME/secure/admin/CurrentUsersList.jspa as admin in another browser and you will see the 'test' user's session.
      3. Close the 'test' user session's window (to avoid AJAX requests)
      4. Set the system clock forward by 4h1m.
      5. Reload http://[JIRA_HOSTNAME]/secure/admin/CurrentUsersList.jspa and the 'test' user's session will not be listed.
      6. Open the 'test' user window again. Session is still active and you do not need to log in.
      7. Reload http://[JIRA_HOSTNAME]/secure/admin/CurrentUsersList.jspaand the 'test' user's session is back in the list.

       

            Unassigned Unassigned
            astephen@atlassian.com Adrian Stephen
            Votes:
            127 Vote for this issue
            Watchers:
            103 Start watching this issue

              Created:
              Updated: