Atlassian Bot Killer plugin reduces all users session timeout to one hour

Steps to Reproduce

Based on steps:

• Configure session timeout to 300 = 5h in $JIRA_INSTALL/atlassian-jira/WEB-INF/web.xml
• Restart Jira
• Create page in $JIRA_INSTALL/atlassian-jira/secure/sessionattributes.jsp to check session attributes

<%@ page session="true" import="java.util.*" %> 
<h1>Session attributes</h1> 
<% Enumeration keys = session.getAttributeNames(); out.println("Session ID: " + session.getId() + "<br>"); out.println("Max Inactive Interval: " + session.getMaxInactiveInterval() + "<br>"); while (keys.hasMoreElements()) { String key = (String)keys.nextElement(); out.println(key + ": " + session.getValue(key) + "<be>"); } 
%>

• Do the 1st visit to Jira http://company.xyz/jira/secure/sessionattributes.jsp
• Visit 2nd time Jira http://company.xyz/jira/secure/sessionattributes.jsp

Expected Results

The user session timeout is 5h.

Session attributes
Session ID: FB004ECB3114D926BFEBC42F2341571C
Max Inactive Interval: 18000

Actual Results

Session attributes
Session ID: FB004ECB3114D926BFEBC42F2341571C
Max Inactive Interval: 3600
ASESSIONID: p63bbu-FB004ECB3114D926BFEBC42F2341571C
atlassian.xsrf.token: BIYC-Y4RV-6FVB-2NEZ_4bc41aadf7f9b487bc234041514060b3234a09c8_lout
com.atlassian.labs.botkiller.BotKiller: 18000

Workaround

• Disable BotKiller Plugin

Notes on resolution

Based on addition data and testing provided in a separate tickets, we saw that:

• Authenticated session Inactive Interval is preserved at 5h
• Anonymous session Inactive Interval is reduced to 1h
• Both are expected outcomes according to the code logic The goal of the plugin to reduce the the session inactivity for anonymous request, while leaving authenticated sessions intact.