User's sessions swapping in Jira Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When User A logs out and logs back in, the system's Single Sign-On (SSO) feature doesn't prompt for re-entry of credentials. Upon re-login, the system displays the avatar of a different user, not User A's. However, as User A continues to navigate the site, their avatar reverts back to normal.

When User A visits the same page that User B is viewing, the page begins to refresh endlessly and the avatar changes to User B's. Having this behavior depends on who navigated to the page last.

This problem is visible when/with:

  • Disabling the SSO plugins 

  • Both private and regular browser sessions

  • With users in the internal user directory & external user directories

Environment

The problem was seen with Jira v.9.4.10 and might happen with other versions

Diagnosis

  1. After User A logs out and attempts to log back in, the system does not ask for their credentials again.

  2. Strangely, on re-login, the avatar displayed is not that of User A but of a completely different user. The avatar displayed changes intermittently.

  3. The avatar reverts back to User A's as navigation continues through the site.

  4. When User A navigates to the same page User B is viewing or any other Jira user, the page refreshes in a loop, and the avatar changes to other users. 

  5. Bypassing the Proxy/LB helps to stop the problem.

Cause

  1. Using F5 Load balancer

  2. Using CloudFront as CDN

  3. Using Apache Web server as Reverse Proxy

Solution

  1. F5 Load Balancer:

    1. Check with your LB administrator if a Load Balancing Stickiness Strategy is in place. This is needed for a DC cluster to properly work.

    2. Check if any Web Acceleration Profile configuration is in place. This might be caching users' sessions and mixing them up.

  2. CloudFront: Cache mechanism. This has been found as a cause for the misbehavior.

  3. Apache web server: Please see Frequent logouts and Session swap / hijack in JIRA and Request Assumes Identity of Another User who Logs in Concurrently Due to Apache CacheIgnoreHeaders

Updated on March 10, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Service Management Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community