How to force all users of Atlassian on-prem products to re-authenticate their sessions on the browser (Server and Data Center)
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
There are times the application administrator may need to invalidate the session of all users accessing the Atlassian product from a browser and force them to authenticate again.
In general, Atlassian products rely on two cookies that identify a user session on a browser:
- Tomcat cookie.
- The default name is
JSESSIONIDorBITBUCKETSESSIONIDdepending on the product. - By default the values are managed in-memory by Tomcat.
- The default name is
- Seraph cookie.
- Also known as the remember me cookie with different (default) naming convention for each product.
- By default the values are stored on the application database.
- Bitbucket uses a different framework than Seraph.
- Jetty cookie
- The default name used by Fisheye/Crucible is FESESSIONID.
You may want to check each product's documentation to learn more about their cookies.
Currently there's no in-product feature to clear users' browser sessions as detailed in the following issues.
The remainder of the document describes workarounds to invalidate cookies' values and forcing users to authenticate again.
This document is provided as-is
Atlassian on-prem products are flexible enough to allow some customization, however Atlassian's Support Offerings do not cover assistance on this area. Consequently, Atlassian cannot guarantee providing any support for them.
If any assistance with customization is required, please check one of the following channels:
環境
This document covers steps to the following Atlassian on-prem products:
- Bamboo Data Center or Server.
- Bitbucket Data Center or Server.
- Confluence Data Center or Server.
- Jira Data Center or Server (Core, Software and Service Management).
- Fisheye/Crucible Server
回避策
Clearing the remember me token database table
This workaround relies on deleting known remember me token values from the database and then restarting the application.
With the application restart any Tomcat cookie value is reset, since this is managed in-memory.
Deleting known remember me values invalidates the token stored on the users' browsers.
Both of the above changes will force any user to re-authenticate as their cookies will be invalid.
It's important to note this is a disruptive change to all users.
方法
データベースの変更を行う場合は必ず事前にバックアップを取得してください。可能な場合は、まずステージング サーバーで SQL コマンドの変更、挿入、更新、または削除を行うようにします。
Check the current values stored on the database.
Delete all values from the table storing the remember me tokens.
Expand to see the SQL query...1. In the upper-right corner of the screen, select Administration
> System.
2. Under Security (the left-side panel), select Remember my login to open the Remember my login for all users page.
3. Select Clear all to remove all "remember my login" tokens from the Jira server.delete from rememberme_token;delete from sta_remember_me_token;delete from remembermetoken;delete from cru_login_cookie;- Restart the application so the changes are applied to the in-memory cache and to clear Tomcat session cookies.
- When running the application on a cluster, then the restart must my be applied to each node. A rolling restart is enough, meaning you won't have a full downtime.
参考資料