How to adjust the session timeout for Confluence

Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

In Confluence, there are two Session Cookies:

  • JSESSIONID: which is used and managed by Tomcat.

    • By default this is considered a Session cookie.

      Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.

  • seraph.confluence: which is used by the Confluence application and managed through the Seraph Framework.

    • This cookie is used when the remember me option is checked by the user during the login.

    • It is important to note that this option is enforced on clustered Confluence Data Center and the user won't see this on the login page. See How to configure the 'Remember Me' feature in Confluence if you want to change this.

    • This option is also enforced when configuring SSO through the SSO for Atlassian Server and Data Center App with default settings.

    • By default this is considered a Permanent cookie.

      Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute

When seraph.confluence isn't set and the only cookie identifying the session is the JSESSIONID, then the session is lost (user needs to authenticate again) when:

  • User closes the browser.

  • The application node is restarted.

  • The user is sent to a different application node on a clustered Data Center.

  • The user logs out.

  • User is idle for 60 minutes.

    • This doesn't apply when working on the Confluence Editor, meaning the session isn't lost if the user is idle on the Editor for more than 60 minutes.

When seraph.confluence is set its default max-age is configured for 14 days (1209600 seconds), when the browser automatically deletes the cookie and the rules detailed above would apply.

However, while this cookie is valid it has precedence over the JSESSIONID and then a user does not lose a session when:

  • The browser is closed.

  • The application node is restarted.

  • The user is sent to a different application node on a clustered Data Center.

  • The user is idle on the browser.

If the Confluence administrator needs to adjust a user's session timeout, we need to adjust the expiration time of these two cookies.

Changes can be applied to the following configuration files:

  • <confluence-install>/conf/web.xml

    • This is where we manage Tomcat session cookie that would be assigned globally on the webserver.

  • <confluence-install>/confluence/WEB-INF/web.xml

    • This is where we manage Tomcat session cookie (JSESSIONID) that would be assigned to the Confluence application.

    • The value adjusted here has precedence over the previous file.

  • <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml

Environment

Confluence Data Center and Server.

Solution

Which method do I need?

Before making any changes, identify which timeout you need to adjust:

If your goal is...

File to edit

Jump to

Users are logged out after idle time (e.g. 60-min default)

confluence/WEB-INF/web.xml

Change the idle timeout

Users are logged out when they close their browser

confluence/WEB-INF/classes/seraph-config.xml

Change the Remember Me cookie lifetime

Both of the above

Both files

Apply both changes below

Note: On a Confluence Data Center cluster, apply changes to every node. A rolling restart is sufficient — no full downtime is required.

Change the idle timeout

Let's suppose you want to invalidate a session when the user is idle for 5 hours (this is just an example and the value should be changed based on your needs), unless the remember me option is checked.

Then the only file you need to touch is <confluence-install>/confluence/WEB-INF/web.xml.

  1. Edit <confluence-install>/confluence/WEB-INF/web.xml and search for a block similar to the below – this is the default configuration.

    <session-config> <session-timeout>60</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config>

  2. Adjust this configuration as below – session timeout is configured in minutes.

    <session-config> <session-timeout>300</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config>

  3. Restart Confluence so the changes are applied.

When running Confluence on a cluster, then the above changes must be applied on every node. A rolling restart is enough, meaning you won't have a full downtime.

How to verify the change worked:

  1. Restart Confluence (rolling restart on cluster).

  2. Log in as a test user without checking "Remember me".

  3. Leave the browser idle for longer than the old timeout (default: 60 minutes).

  4. After the new timeout period passes, attempt a page action — you should still be logged in if the new timeout is larger, or see a login prompt if smaller.

  5. Check logs/atlassian-confluence.log for any session configuration errors on startup.

Change the lifetime of the Remember Me cookie

Let's suppose you want to change the lifetime of the seraph.confluence cookie for 2 days (this is just an example and the value should be changed based on your needs).

Then the only file you need to touch is <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml.

Usually, this is the configuration you would change when you need to modify the session timeout.

  1. Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml and add the following initialization parameter.

    <!-- session-timeout --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>172800</param-value> </init-param>

    By default the autologin.cookie.age parameter isn't set in the file. If you made changes before you may want to search for it and modify the value there.

    The above block of configuration should be included within the <parameters> tags as below.

    <security-config> ‹parameters> ‹init-param>" </init-param> <init-param> </init-param> ‹init-param>" </init-param> ‹init-param>" </init-param> <!--only basic authentication available--> <init-param>" </init-param> <!-- Invalidate session on login to prevent session fixation attack —->... </init-param> <!-- Add names for session attributes that must not be copied to a new session when ' Currently it is empty (i.e. all attributes will be copied). -> ‹init-param> ‹param-name>invalidate.session.exclude.list</param-name> ‹param-value></ param-value> </init-param> <!-- session-timeout --> ‹init-param> ‹param-name>autologin.cookie.age</param-name> <param-value>172800</param-value> </init-param> </parameters> ‹rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/> ‹controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>

  2. Restart Confluence so the changes are applied.

When running Confluence on a cluster, then the above changes must be applied on every node. A rolling restart is enough, meaning you won't have a full downtime.

How to verify the change worked:

  1. Restart Confluence.

  2. Log in as a test user and check "Remember me" (or confirm SSO enforces it).

  3. Close and reopen the browser.

  4. Navigate to Confluence — you should remain authenticated for the new cookie duration.

  5. Inspect the seraph.confluence cookie in your browser developer tools to confirm the expiry matches the value set in autologin.cookie.age.

Forcefully logout users sometime after they authenticated

Let's suppose you have strict security policies and you need to expire a user session 8 hours (this is just an example and the value should be changed based on your needs) after they authenticated, no matter if the user is idle or not.

This will logout the user even if they are actively working on the Confluence editor – this is sometimes an unwanted behavior so you must be sure when choosing this option.

You may choose this option only when the combination of both the above solutions are not enough.

Below are the recommended configuration changes you need to perform on each of the files.

  1. Edit <confluence-install>/conf/web.xml and search for a block similar to the below – this is the default configuration.

    <session-config> <session-timeout>30</session-timeout> </session-config>

  2. Adjust the configuration as below.

    <session-config> <session-timeout>480</session-timeout> <tracking-mode>COOKIE</tracking-mode> <cookie-config> <max-age>28800</max-age> </cookie-config> </session-config>

    • session-timeout is configured in minutes while max-age is configured in seconds.

    • Adding a max-age to the JSESSIONID turns it into a permanent cookie.

  3. Edit <confluence-install>/confluence/WEB-INF/web.xml and search for a block similar to the below – this is the default configuration.

    <session-config> <session-timeout>60</session-timeout> <tracking-mode>COOKIE</tracking-mode> </session-config>

  4. Adjust this configuration as below.

    <session-config> <session-timeout>480</session-timeout> <tracking-mode>COOKIE</tracking-mode> <cookie-config> <max-age>28800</max-age> </cookie-config> </session-config>

  5. Edit <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml and add the following initialization parameter.

    <!-- session-timeout --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>28800</param-value> </init-param>

    By default the autologin.cookie.age parameter isn't set in the file. If you made changes before you may want to search for it and modify the value there.

    The above block of configuration should be included within the <parameters> tags as below.

    <security-config> ‹parameters> <init-param>" </init-param> <init-param> </init-param> <init-param>* </ init-param> <init-param>" </init-param> <!--only basic authentication available--> <init-param> </init-param> <!-- Invalidate session on login to prevent session fixation attack —->•. </init-param> <!-- Add names for session attributes that must not be copied to a new session when t Currently it is empty (i.e. all attributes will be copied). -> <init-param> <param-name>invalidate.session.exclude.list</param-name> ‹param-value></param-value> </init-param> <!-- session-timeout --> <init-param> <param-name>autologin.cookie.age</param-name> <param-value>172800</param-value> </init-param> </parameters> ‹rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/> <controller class="com. atlassian. confluence.setup.seraph.ConfluenceSecurityController"/>

  6. Restart Confluence so the changes are applied.

When running Confluence on a cluster, then the above changes must be applied on every node. A rolling restart is enough, meaning you won't have a full downtime.

When this guide does not apply

This article covers session timeout for Confluence Data Center and Server only. It does not cover:

  • Confluence Cloud — session management is handled by Atlassian; it cannot be customised by administrators.

  • SSO-managed sessions — if your organisation uses SAML or OpenID Connect SSO, the identity provider controls session lifetime. Changes to web.xml and seraph-config.xml will not override IdP-enforced session expiry.

  • Atlassian Guard — organisation-level session policies set via admin.atlassian.com take precedence over application-level settings.

Related articles

Updated on June 2, 2026
Platform
Data Center only
App
Confluence Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community