Confluence 3.5 : Confluence Cookies
This page last changed on Oct 11, 2010 by smaddox.
Confluence uses Seraph, an open source framework, for HTTP cookie authentication. CookiesConfluence uses two cookies:
The 'Remember Me' CookieThe 'remember me' cookie is a long-lived HTTP cookie. This cookie can be used to authenticate an unauthenticated session. Confluence generates this cookie when the user selects the 'Remember me' checkbox on the login page. Cookie Key and ValueBy default, the cookie key is seraph.confluence. This key is defined in the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file, in the login.cookie.key parameter. The cookie contains a unique identifier plus a securely-generated random string. Use of Cookie for AuthenticationWhen a user requests a web page, if the request is not already authenticated via session-based authentication or otherwise, Confluence will match the 'remember me' cookie (if present) against the token stored for the user in the Confluence database (if present). If the random string matches the value stored in the database and the cookie has not expired, the user is authenticated. Life of 'Remember Me' CookiesYou can configure the maximum age of the cookie. To do that you will need to modify the CONFLUENCE-INSTALLATION/confluence/WEB-INF/classes/seraph-config.xml file and insert the following lines below the other init-param elements: <init-param> <param-name>autologin.cookie.age</param-name> <param-value>2592000</param-value><!-- 30 days in seconds --> </init-param> Automatic Cleanup of 'Remember Me' TokensEvery cookie issued by Confluence has a corresponding record in the database. A scheduled job runs on 20th of every month to clean up expired tokens. The name of the trigger is clearExpiredRememberMeTokensTrigger. Note: The only purpose of this job is to prevent the database table from growing too big. For authentication purposes, Confluence will ignore expired tokens even if they still exist in the database. Is it Possible to Disable the 'Remember Me' Feature?Confluence does not offer an option for disabling the 'Remember Me' feature. See the workaround. Notes
RELATED TOPICS |
![]() |
Document generated by Confluence on Mar 16, 2011 18:29 |