Confluence uses Seraph, an open source framework, for HTTP cookie authentication.

Cookie

Confluence uses two cookies:

  • The JSESSIONID cookie is created by the application server and used for session tracking purposes.
  • The 'remember me' cookie, seraph.confluence, is generated by Confluence when the user selects the 'Remember me' checkbox on the login page.

(info) You can read about cookies on the Wikipedia page.

The 'Remember Me' Cookie

The 'remember me' cookie is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. Confluence generates this cookie when the user selects the 'Remember me' checkbox on the login page.

Cookie Key and Value

By default, the cookie key is seraph.confluence. This key is defined in the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file, in the login.cookie.key parameter.

The cookie contains a unique identifier plus a securely-generated random string.

Use of Cookie for Authentication

When a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, Confluence will match the 'remember me' cookie (if present) against the token stored for the user in the Confluence database (if present).

ランダムな文字列が、データベースに格納されている値と一致し、クッキーの有効期限が切れていない場合は、ユーザーは認証されます。

Life of 'Remember Me' Cookies

cookie には有効期限を設定できます。これを行うには、CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml ファイルを変更し、‪init-param ‬要素の下に次の行を挿入します。

        <init-param>
            <param-name>autologin.cookie.age</param-name>
            <param-value>2592000</param-value><!-- 30 days in seconds -->
        </init-param>

Automatic Cleanup of 'Remember Me' Tokens

Every cookie issued by Confluence has a corresponding record in the database. A scheduled job runs on 20th of every month to clean up expired tokens. The name of the trigger is clearExpiredRememberMeTokensTrigger.

注意: このジョブの唯一の目的は、データベース テーブルが巨大化するのを防止することです。認証目的については、Confluence は期限切れのトークンがまだデータベースに存在していても無視します。

Is it Possible to Disable the 'Remember Me' Feature?

Confluence does not offer an option for disabling the 'Remember Me' feature. See the workaround.

注意

  • The autocomplete that happens when a user logs in is a browser feature, not a Confluence feature. Confluence cannot enable or disable the autocompletion.
関連トピック

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.