How to force all users of Atlassian on-prem products to re-authenticate their sessions on the browser


アトラシアン コミュニティをご利用ください。


プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。


There are times the application administrator may need to invalidate the session of all users accessing the Atlassian product from a browser and force them to authenticate again.

In general, Atlassian products rely on two cookies that identify a user session on a browser:

  • Tomcat cookie.
    • The default name is JSESSIONID or BITBUCKETSESSIONID depending on the product.
    • By default the values are managed in-memory by Tomcat.
  • Seraph cookie.
    • Also known as the remember me cookie with different (default) naming convention for each product.
    • By default the values are stored on the application database.
    • Bitbucket uses a different framework than Seraph.
  • Jetty cookie
    • The default name used by Fisheye/Crucible is FESESSIONID.

You may want to check each product's documentation to learn more about their cookies.

Currently there's no in-product feature to clear users' browser sessions as detailed in the following issues.

キー 要約 T 更新日 ステータス

The remainder of the document describes workarounds to invalidate cookies' values and forcing users to authenticate again.

This document is provided as-is

Atlassian on-prem products are flexible enough to allow some customization, however Atlassian's Support Offerings do not cover assistance on this area. Consequently, Atlassian cannot guarantee providing any support for them.

If any assistance with customization is required, please check one of the following channels:


This document covers steps to the following Atlassian on-prem products:

  • Bamboo Data Center or Server.
  • Bitbucket Data Center or Server.
  • Confluence Data Center or Server.
  • Jira Data Center or Server (Core, Software and Service Management).
  • Fisheye/Crucible Server


Clearing the remember me token database table

This workaround relies on deleting known remember me token values from the database and then restarting the application.

With the application restart any Tomcat cookie value is reset, since this is managed in-memory.
Deleting known remember me values invalidates the token stored on the users' browsers.

Both of the above changes will force any user to re-authenticate as their cookies will be invalid.

It's important to note this is a disruptive change to all users.


データベースの変更を行う場合は必ず事前にバックアップを取得してください。可能な場合は、まずステージング サーバーで SQL コマンドの変更、挿入、更新、または削除を行うようにします。

  1. Check the current values stored on the database.

    Expand to see the SQL query...
    select * from rememberme_token;
    select * from sta_remember_me_token;
    select * from remembermetoken;
    select * from remembermetoken;
    select * from cru_login_cookie;
  2. Delete all values from the table storing the remember me tokens.

    Expand to see the SQL query...

    1. In the upper-right corner of the screen, select Administration  > System.
    2. Under Security (the left-side panel), select Remember my login to open the Remember my login for all users page.
    3. Select Clear all to remove all "remember my login" tokens from the Jira server.

    If you need to delete it from the Jira database directly...

    Deleting directly from the Jira database is only needed if you can't access the above feature from the Jira administration.

    delete from remembermetoken;

    delete from rememberme_token;
    delete from sta_remember_me_token;
    delete from remembermetoken;
    delete from cru_login_cookie;
  3. Restart the application so the changes are applied to the in-memory cache and to clear Tomcat session cookies.
    1. When running the application on a cluster, then the restart must my be applied to each node. A rolling restart is enough, meaning you won't have a full downtime.


Using HTTP Cookies - Mozilla

Bamboo cookies

Confluence のクッキー

Jira アプリケーションのクッキー (cookie)


Atlassian Seraph

最終更新日: 2022 年 12 月 19 日


Powered by Confluence and Scroll Viewport.