# Confluence のセッション タイムアウトを調整する方法

#### お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。

# 要約

In Confluence there are two Session Cookies:

• JSESSIONID: which is used and managed by Tomcat.

Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.

• seraph.confluence: which is used by the Confluence application and managed through the Seraph Framework.

Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.

When seraph.confluence isn't set and the only cookie identifying the session is the JSESSIONID, then the session is lost (user needs to authenticate again) when:

• User closes the browser.
• The application node is restarted.
• The user is sent to a different application node on a clustered Data Center.
• The user logs out.
• User is idle for 60 minutes.
• This doesn't apply when working on the Confluence Editor, meaning the session isn't lost if the user is idle on the Editor for more than 60 minutes.

When seraph.confluence is set its default max-age is configured for 14 days (1209600 seconds), when the browser automatically deletes the cookie and the rules detailed above would apply.
However, while this cookie is valid it has precedence over the JSESSIONID and then a user does not lose a session when:

• The browser is closed.
• The application node is restarted.
• The user is sent to a different application node on a clustered Data Center.
• The user is idle on the browser.

In case the Confluence administrator needs to adjust the session timeout of a user, then we need to adjust the expiration time of these two cookies.

Changes can be applied to the following configuration files:

• <confluence-install>/conf/web.xml
• ここで、Web サーバーでグローバルに割り当てられる Tomcat セッション クッキーが管理されます。

• <confluence-install>/confluence/WEB-INF/web.xml
• This is where we manage Tomcat session cookie (JSESSIONID) that would be assigned to the Confluence application.
• ここで調整された値は前述のファイルよりも優先されます。
• <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml

# 環境

Confluence Data Center and Server.

# ソリューション

## Change the idle timeout

Let's suppose you want to invalidate a session when the user is idle for 5 hours (this is just an example and the value should be changed based on your needs), unless the remember me option is checked.
Then the only file you need to touch is <confluence-install>/confluence/WEB-INF/web.xml.

1. Edit <confluence-install>/confluence/WEB-INF/web.xml and search for a block similar to the below – this is the default configuration.

    <session-config>
<session-timeout>60</session-timeout>
</session-config>
2. Adjust this configuration as below – session timeout is configured in minutes.

    <session-config>
<session-timeout>300</session-timeout>
</session-config>
3. Confluence を再起動して変更を適用します。

When running Confluence on a cluster, then the above changes must be applied on every node.
A rolling restart is enough, meaning you won't have a full downtime.

Let's suppose you want to change the lifetime of the seraph.confluence cookie for 2 days (this is just an example and the value should be changed based on your needs).
Then the only file you need to touch is <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml.
Usually, this is the configuration you would change when you need to modify the session timeout.

1. Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml and add the following initialization parameter.

        <!-- session-timeout -->
<init-param>
<param-value>172800</param-value>
</init-param>

By default the autologin.cookie.age parameter isn't set in the file. If you made changes before you may want to search for it and modify the value there.
The above block of configuration should be included within the <parameters> tags as below.

2. Confluence を再起動して変更を適用します。

When running Confluence on a cluster, then the above changes must be applied on every node.
A rolling restart is enough, meaning you won't have a full downtime.

## Forcefully logout users sometime after they authenticated

Let's suppose you have strict security policies and you need to expire a user session 8 hours (this is just an example and the value should be changed based on your needs) after they authenticated, no matter if the user is idle or not.
This will logout the user even if they are actively working on the Confluence editor – this is sometimes an unwanted behavior so you must be sure when choosing this option.
You may choose this option only when the combination of both the above solutions are not enough.

1. Edit <confluence-install>/conf/web.xml and search for a block similar to the below – this is the default configuration.

    <session-config>
<session-timeout>30</session-timeout>
</session-config>
2. 構成を次のように調整します。

    <session-config>
<session-timeout>480</session-timeout>
<max-age>28800</max-age>
</session-config>
• session-timeout is configured in minutes while max-age is configured in seconds.
• Adding a max-age to the JSESSIONID turns it into a permanent cookie.

3. Edit <confluence-install>/confluence/WEB-INF/web.xml and search for a block similar to the below – this is the default configuration.

    <session-config>
<session-timeout>60</session-timeout>
</session-config>
4. 構成を次のように調整します。

    <session-config>
<session-timeout>480</session-timeout>
<max-age>28800</max-age>
</session-config>
5. Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml and add the following initialization parameter.

        <!-- session-timeout -->
<init-param>
<param-value>28800</param-value>
</init-param>

By default the autologin.cookie.age parameter isn't set in the file. If you made changes before you may want to search for it and modify the value there.
The above block of configuration should be included within the <parameters> tags as below.

6. Confluence を再起動して変更を適用します。

When running Confluence on a cluster, then the above changes must be applied on every node.
A rolling restart is enough, meaning you won't have a full downtime.

# 参考資料

Confluence のクッキー

HTTP authentication with Seraph