How to force all users of Atlassian on-prem products to re-authenticate their sessions on the browser (Server and Data Center)
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
There are times when the application administrator may need to invalidate the session of all users accessing the Atlassian product from a browser and force them to authenticate again.
In general, Atlassian products rely on two cookies that identify a user session on a browser:
- Tomcat cookie.
- The default name is
JSESSIONIDorBITBUCKETSESSIONIDdepending on the product. - By default the values are managed in-memory by Tomcat.
- The default name is
- Seraph cookie.
- Also known as the remember me cookie with a different (default) naming convention for each product.
- By default the values are stored on the application database.
- Bitbucket uses a different framework than Seraph.
- Jetty cookie
- The default name used by Fisheye/Crucible is FESESSIONID.
You may want to check each product's documentation to learn more about their cookies.
Currently there's no in-product feature to clear users' browser sessions as detailed in the following issues.
JRASERVER-65889 - As a JIRA Administrator I want to kill user session (fixed in 9.11.0 and later)
CONFSERVER-59978 - As a Confluence Administrator I want to kill user session
BSERV-11793 - Add the option to kill all user sessions
The remainder of the document describes workarounds to invalidate cookies' values and force users to authenticate again.
This document is provided as-is
Atlassian on-prem products are flexible enough to allow some customization, however Atlassian's Support Offerings do not cover assistance on this area. Consequently, Atlassian cannot guarantee providing any support for them.
If any assistance with customization is required, please check one of the following channels:
環境
This document covers steps to the following Atlassian on-prem products:
- Bamboo Data Center or Server.
- Bitbucket Data Center or Server.
- Confluence Data Center or Server.
- Jira Data Center or Server (Core, Software and Service Management).
- Fisheye/Crucible Server
回避策
Clearing the remember me token database table
This workaround relies on deleting known remember me token values from the database and then restarting the application.
With the application restart any Tomcat cookie value is reset, since this is managed in-memory.
Deleting known remember me values invalidates the token stored on the users' browsers.
Both of the above changes will force any user to re-authenticate as their cookies will be invalid.
It's important to note this is a disruptive change to all users.
方法
データベースの変更を行う場合は必ず事前にバックアップを取得してください。可能な場合は、まずステージング サーバーで SQL コマンドの変更、挿入、更新、または削除を行うようにします。
Check the current values stored on the database.
Delete all values from the table storing the remember me tokens.
Expand to see the SQL query...Jira
1. In the upper-right corner of the screen, select Administration
> System.
2. Under Security (the left-side panel), select Remember my login to open the Remember my login for all users page.
3. Select Clear all to remove all "remember my login" tokens from the Jira server.Bamboo
delete from rememberme_token;Bitbucket
delete from sta_remember_me_token;Confluence
delete from remembermetoken;Fisheye/Crucible
delete from cru_login_cookie;- Restart the application so the changes are applied to the in-memory cache and to clear Tomcat session cookies.
- When running the application on a cluster, then the restart must my be applied to each node. A rolling restart is enough, meaning you won't have a full downtime.