Invalidating user sessions in Jira Data Center
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Instant invalidation of a particular user session is possible in Jira Data Center in a single-node environment and, starting with Jira 9.11, in a multinode environment. Prior to Jira 9.11, instant user session invalidation in a multinode environment isn't possible.
Solution
How user session invalidation works
Jira Data Center has two places where user sessions are cached (in memory):
Webserver user sessions without any time limit for active sessions
Crowd authentication sessions with a 15-minute time limit for all sessions, including the active ones
Also, the remember me cookies are stored in your database.
User sessions get invalidated by specific user or admin actions that can be local (operating on a single node) or cluster-wide (operating on all nodes in a Data Center cluster).
In the following table, check what events for user session invalidation operate locally and cluster-wide in Jira 9.11 and later. For example, prior to Jira 9.11, user sessions are only cleared on a node where a password was updated. Also, when a user’s password is changed, the remember me cookies are cleared from the database.
In Jira 9.11 and later, user sessions get cleared not only on a node where a password was updated but also on the rest of the nodes in the instance.
Action | Prior to Jira 9.11 | In Jira 9.11 and later | ||
|---|---|---|---|---|
Local | Cluster | Local | Cluster | |
✔️ | ❌ | ✔️ | ✔️ | |
Admin anonymizes a user | ✔️ | ❌ | ✔️ | ✔️ |
Admin deletes a user | ✔️ | ❌ | ✔️ | ✔️ |
Admin invalidates a user's session through a REST API | N/A | N/A | ✔️ | ✔️ |
User changes their password | ✔️ | ❌ | ✔️ | ✔️ |
How does an admin end a user’s session through a REST API?
To end a user’s session across the cluster, send the DELETE request to the following REST endpoint:
api/2/user/session/{username}
usernameis the username of the user whose session you’re invalidating.
The response won’t contain a body but can return one of the following statuses:
200if the operation is successful.401if you aren’t logged in.403if you don’t have permission to perform the operation.404if a provided username wasn't found in Jira.
Workarounds
To invalidate all user sessions, you can delete all the remember me tokens from the database and in multinode Jira Data Center perform a rolling restart of all nodes. For more details, learn how to force all users of Atlassian on-prem products to reauthenticate their sessions in the browser.
Was this helpful?