-
Type:
Bug
-
Resolution: Invalid
-
Priority:
Low
-
None
-
Affects Version/s: 8.11.0
-
Component/s: Java API
-
None
-
8.11
-
2
-
Severity 2 - Major
-
4
Atlassian Bot Killer plugin reduces all users session timeout to one hour
Steps to Reproduce
Based on steps:
- Configure session timeout to 300 = 5h in $JIRA_INSTALL/atlassian-jira/WEB-INF/web.xml
- Restart Jira
- Create page in $JIRA_INSTALL/atlassian-jira/secure/sessionattributes.jsp to check session attributes
<%@ page session="true" import="java.util.*" %> <h1>Session attributes</h1> <% Enumeration keys = session.getAttributeNames(); out.println("Session ID: " + session.getId() + "<br>"); out.println("Max Inactive Interval: " + session.getMaxInactiveInterval() + "<br>"); while (keys.hasMoreElements()) { String key = (String)keys.nextElement(); out.println(key + ": " + session.getValue(key) + "<be>"); } %>
- Do the 1st visit to Jira http://company.xyz/jira/secure/sessionattributes.jsp
- Visit 2nd time Jira http://company.xyz/jira/secure/sessionattributes.jsp
Expected Results
The user session timeout is 5h.
Session attributes
Session ID: FB004ECB3114D926BFEBC42F2341571C
Max Inactive Interval: 18000
Actual Results
Session attributes
Session ID: FB004ECB3114D926BFEBC42F2341571C
Max Inactive Interval: 3600
ASESSIONID: p63bbu-FB004ECB3114D926BFEBC42F2341571C
atlassian.xsrf.token: BIYC-Y4RV-6FVB-2NEZ_4bc41aadf7f9b487bc234041514060b3234a09c8_lout
com.atlassian.labs.botkiller.BotKiller: 18000
Workaround
- Disable BotKiller Plugin
Notes on resolution
Based on addition data and testing provided in a separate tickets, we saw that:
- Authenticated session Inactive Interval is preserved at 5h
- Anonymous session Inactive Interval is reduced to 1h
- Both are expected outcomes according to the code logic The goal of the plugin to reduce the the session inactivity for anonymous request, while leaving authenticated sessions intact.
- is related to
-
-
- Closed
-
- mentioned in
-
Page Loading...