This page last changed on Oct 11, 2010 by smaddox.

Confluence uses Seraph, an open source framework, for HTTP cookie authentication.

Cookies

Confluence uses two cookies:

  • The JSESSIONID cookie is created by the application server and used for session tracking purposes.
  • The 'remember me' cookie, seraph.confluence, is generated by Confluence when the user selects the 'Remember me' checkbox on the login page.

Info You can read about cookies on the Wikipedia page.

The 'Remember Me' Cookie

The 'remember me' cookie is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. Confluence generates this cookie when the user selects the 'Remember me' checkbox on the login page.

Cookie Key and Value

By default, the cookie key is seraph.confluence. This key is defined in the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file, in the login.cookie.key parameter.

The cookie contains a unique identifier plus a securely-generated random string.

Use of Cookie for Authentication

When a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, Confluence will match the 'remember me' cookie (if present) against the token stored for the user in the Confluence database (if present).

If the random string matches the value stored in the database and the cookie has not expired, the user is authenticated.

Life of 'Remember Me' Cookies

You can configure the maximum age of the cookie. To do that you will need to modify the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file and insert the following lines below the other init-param elements:

<init-param>
            <param-name>autologin.cookie.age</param-name>
            <param-value>2592000</param-value><!-- 30 days in seconds -->
        </init-param>

Automatic Cleanup of 'Remember Me' Tokens

Every cookie issued by Confluence has a corresponding record in the database. A scheduled job runs on 20th of every month to clean up expired tokens. The name of the trigger is clearExpiredRememberMeTokensTrigger.

Note: The only purpose of this job is to prevent the database table from growing too big. For authentication purposes, Confluence will ignore expired tokens even if they still exist in the database.

Is it Possible to Disable the 'Remember Me' Feature?

Confluence does not offer an option for disabling the 'Remember Me' feature. See the workaround.

Notes

  • The autocomplete that happens when a user logs in is a browser feature, not a Confluence feature. Confluence cannot enable or disable the autocompletion.
RELATED TOPICS


Document generated by Confluence on Sep 19, 2011 02:40