A client of ours has some very strict IT security rules for vendor systems that will contain sensitive data. One such rule is that a user may not be logged in for more than 10 hours without re-authenticating, regardless of activity.
I believe this is different from session-timeout in web.xml which seems to deal with inactivity timeouts.
Can you please help me understand how I can meet this requirement, if possible?
Thanks Jeff for getting back....
The issue with the above method is session-timeout overrides the value mentioned in autologin.cookie.age, so if the user has a dashboard which refreshes 
every 5 minutes then in that case this setting wont work....
I figured out the answer somehow.....
Under web.xml adding the following code
<!-- session config -->
    <session-config>
        <session-timeout>300</session-timeout>
         <cookie-config>
        <max-age>
         36000
        </max-age>
      </cookie-config>
    </session-config>
I have set max-age cookie of 10hours....By this way you are forcing JIRA users to logout after 10hrs even though their is some activity in the last couple of minutes...
Hope this helps ....
Thanks,
Sunil Pothireddy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you, Sunil!
I had to debug session expiration in my iOS app. Setting <max-age> and <session-timeout> to 60 seconds worked great for this purpose. You are awesome.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
The JIRA authentication in browser is determined by a cookie, so you can set its timeout in $JIRA_INSTALL/WEB-INF/classes/seraph-config.xml -- please look for the following parameters:
<!-- This property sets the default remember me cookie max age in seconds.  It is currently set to 2 weeks -->
        <init-param>
            <param-name>autologin.cookie.age</param-name>
            <param-value>1209600</param-value>
        </init-param>
1209600 seconds means 14 days, but you can set it to 864000 (10 hours). Please remember to restart JIRA after that.
I hope it helps!
Best regards,
Lucas Timm 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I tested this and autologin.cookie.age controls the lifetime of the cookie set when the user checks Remember My Login. This isn't quite enough to meet the requirement because as long as the session remains active the user won't be forced to re-authenticate even after the seraph.rememberme.cookie cookie expires.
It is almost like I need the login session cookie to have a timeout of 10 hours instead of session.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Any luck @ Jeffrey Shank
I need to set something similar... Please let me know if you could find any work around for this ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I never found a work around. We had to get an exception from the client on this security requirement.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Jeff, take a look at this link as this is probably what you're looking for.
https://confluence.atlassian.com/display/JIRA/Changing+the+default+session+timeout
**Edit: will not log them out regardless of activity but will ensure they're logged out after that inactivity period.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I used the method from that article to deal with the inactivity timeout requirement. I'm still seeking an answer for limiting the max lifetime of a session, independent of activity.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.