How to force all users of Atlassian on-prem products to re-authenticate their sessions on the browser (Server and Data Center)
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
There are times the application administrator may need to invalidate the session of all users accessing the Atlassian product from a browser and force them to authenticate again.
In general, Atlassian products rely on two cookies that identify a user session on a browser:
- Tomcat cookie.
- The default name is
JSESSIONID
orBITBUCKETSESSIONID
depending on the product. - By default the values are managed in-memory by Tomcat.
- The default name is
- Seraph cookie.
- Also known as the remember me cookie with different (default) naming convention for each product.
- By default the values are stored on the application database.
- Bitbucket uses a different framework than Seraph.
- Jetty cookie
- The default name used by Fisheye/Crucible is FESESSIONID.
You may want to check each product's documentation to learn more about their cookies.
Currently there's no in-product feature to clear users' browser sessions as detailed in the following issues.
The remainder of the document describes workarounds to invalidate cookies' values and forcing users to authenticate again.
This document is provided as-is
Atlassian on-prem products are flexible enough to allow some customization, however Atlassian's Support Offerings do not cover assistance on this area. Consequently, Atlassian cannot guarantee providing any support for them.
If any assistance with customization is required, please check one of the following channels:
Environment
This document covers steps to the following Atlassian on-prem products:
- Bamboo Data Center or Server.
- Bitbucket Data Center or Server.
- Confluence Data Center or Server.
- Jira Data Center or Server (Core, Software and Service Management).
- Fisheye/Crucible Server
Workaround
Clearing the remember me token database table
This workaround relies on deleting known remember me token values from the database and then restarting the application.
With the application restart any Tomcat cookie value is reset, since this is managed in-memory.
Deleting known remember me values invalidates the token stored on the users' browsers.
Both of the above changes will force any user to re-authenticate as their cookies will be invalid.
It's important to note this is a disruptive change to all users.
Procedure
Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.
Check the current values stored on the database.
Delete all values from the table storing the remember me tokens.
- Restart the application so the changes are applied to the in-memory cache and to clear Tomcat session cookies.
- When running the application on a cluster, then the restart must my be applied to each node. A rolling restart is enough, meaning you won't have a full downtime.