Details
-
Bug
-
Resolution: Invalid
-
Low
-
None
-
8.11.0
-
None
-
8.11
-
2
-
Severity 2 - Major
-
4
-
Description
Atlassian Bot Killer plugin reduces all users session timeout to one hour
Steps to Reproduce
Based on steps:
- Configure session timeout to 300 = 5h in $JIRA_INSTALL/atlassian-jira/WEB-INF/web.xml
- Restart Jira
- Create page in $JIRA_INSTALL/atlassian-jira/secure/sessionattributes.jsp to check session attributes
<%@ page session="true" import="java.util.*" %> <h1>Session attributes</h1> <% Enumeration keys = session.getAttributeNames(); out.println("Session ID: " + session.getId() + "<br>"); out.println("Max Inactive Interval: " + session.getMaxInactiveInterval() + "<br>"); while (keys.hasMoreElements()) { String key = (String)keys.nextElement(); out.println(key + ": " + session.getValue(key) + "<be>"); } %>
- Do the 1st visit to Jira http://company.xyz/jira/secure/sessionattributes.jsp
- Visit 2nd time Jira http://company.xyz/jira/secure/sessionattributes.jsp
Expected Results
The user session timeout is 5h.
Session attributes
Session ID: FB004ECB3114D926BFEBC42F2341571C
Max Inactive Interval: 18000
Actual Results
Session attributes
Session ID: FB004ECB3114D926BFEBC42F2341571C
Max Inactive Interval: 3600
ASESSIONID: p63bbu-FB004ECB3114D926BFEBC42F2341571C
atlassian.xsrf.token: BIYC-Y4RV-6FVB-2NEZ_4bc41aadf7f9b487bc234041514060b3234a09c8_lout
com.atlassian.labs.botkiller.BotKiller: 18000
Workaround
- Disable BotKiller Plugin
Notes on resolution
Based on addition data and testing provided in a separate tickets, we saw that:
- Authenticated session Inactive Interval is preserved at 5h
- Anonymous session Inactive Interval is reduced to 1h
- Both are expected outcomes according to the code logic The goal of the plugin to reduce the the session inactivity for anonymous request, while leaving authenticated sessions intact.
Attachments
Issue Links
- is related to
-
-
- Closed
-
- mentioned in
-
Page Loading...