Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Auto-logout times changed?

WSST
WSST January 21, 2013

We recently upgraded from Confluence 3.5.9 to 4.3.3.

Since then, some users reported some unexpected differences between the two versions with regards to timeout times. In 3.5.9, users were punted back to the login screen after a period of inactivity (I'm not sure what, but I'm thinking somewhere in the order of hours). As of 4.3.3, users are not getting automatically logged out.

In my mind, this is a great convenience feature as users are not forced to log in multiple times throughout the day, but conversely, some users are concerned about security (eg. If they forget to manually logout, could someone else sit down at their machine and hijack their session).

All I'm really looking to find out is what, if anything, changed between these versions that could trigger something different with regards to timeout times. I see that the JSESSIONID cookie expires At end of session, did this used to be something different like 1 hour after creation perhaps?

I checked my web.xml file and have the following config there (which I believe is an Atlassian default):

<session-config>

<session-timeout>60</session-timeout>

</session-config>

I'm not sure if that is applicable to this situation or not.

Answer
Watch
Like Andrei [errno] likes this
2849 views

4 answers

1 accepted

0 votes
Answer accepted
WSST
WSST January 27, 2013

For googlers:

The old session-timeout parameter was not being respected because the Notification plugin (workbox) polled Confluence every 30 seconds, essentially cancelling out the timeout:

https://jira.atlassian.com/browse/CONF-26796

We are going to wait for a bug fix.

Reply
0 votes
NCIS
NCIS
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
March 27, 2013

The "Notifications and Tasks" plugins are specifically about this:

https://confluence.atlassian.com/display/DOC/Managing+Notifications+in+Confluence

In short, it's related to the new "workbox", which consolidates Confluence page watches, shares, mentions, and tasks (JIRA issues, too, if they're linked). Assuming you had been receiving page change notifications via email before Atlassian included the workbox feature, you should still get the email notifications. Disabling the plugins just prevents you from seeing the workbox and using the new social features (e.g. @mentions).

With the plugins enabled and the workbox polling every 30 seconds, it effectively keeps your login session open indefinitely. In the enterprise, this is a security 101 issue, because any session timeout you set in either web.xml file will be ignored.

An enterprise customer needing to enforce a session timeout (true for many enterprise customers) will be unable to use the workbox, @mentions, or any other features requiring these plugins. This is a major bug. Until Atlassian fixes this, many enterprise customers will be unable to use these new features.

Reply
0 votes
William Zanchet
William Zanchet [Atlassian]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 29, 2013

Hey,

Just for our community to know, that's indeed a bug. We'll have to vote on the bug report, that way our Dev team can see it, and then fix it.
We don't have an ETA for it right now, but please add yourself as a watcher in the ticket, that way our team will keep you updated.

Cheers,

WZ

View More Comments
Bruce Schlueter
Bruce Schlueter
Contributor
February 7, 2013

There is a comment

By disabling the Notifications and Tasks plugins (there are three, located in the System Plugins section of Installed Plugins), the call will stop, and session invalidation will work as expected.

what will be the side effects? Will users still be informed if changes are made to pages?

Like
Reply
0 votes
Jason Brison2
Jason Brison
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 21, 2013

Hi WSST,

I would take a look at https://confluence.atlassian.com/pages/viewpage.action?pageId=126910597. I think this is what you're looking to update. It could have a new default in the newer version.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.