Confluence protects access to its administrative functions by requiring a secure administration session to use the Confluence administration console or administer a space. When a Confluence administrator (who is logged into Confluence) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the Confluence/space administration console.

The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the Confluence/space administration console for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note, they will remain logged into Confluence). If the administrator does click an administration function, the timeout will reset.

 

(warning) The information on this page does not apply to

Unable to render {include} The included page could not be found.
.

To configure secure administrator sessions:

  1. Choose Browse > Confluence Admin.
  2. Click 'Security Configuration' in the 'Security' section. The 'Edit Security Configuration' screen will be displayed.
  3. Click the 'Edit' link.
    • To disable secure administrator sessions (i.e. administrators will not be required to log into a secure session to access the administration console), uncheck the 'Enable' checkbox next to 'Secure administrator sessions'.
    • To change the timeout for secure administrator sessions, update the value in textbox next to 'minutes before invalidation'. The default timeout for a secure administration session is 10 minutes.
  4. Click the 'Save' button.


Screenshot above: Configuring secure administrator sessions

Notes

  • Disabling password confirmation. Confluence installations that use a custom authentication mechanism may run into problems with the Confluence security measure that requires password confirmation. If necessary, you can set the password.confirmation.disabled system property to disable the password confirmation functionality. See Recognised System Properties. See issue CONF-20958 "Confluence features that require password confirmation (websudo, captcha) do not work with custom authentication".
  • WebSudo. The feature that provides secure administrator sessions is also called 'WebSudo'.
  • Manually ending a secure session. An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.
  • Note for developers. Secure administrator sessions can cause exceptions when developing against Confluence or deploying a plugin. Please read this FAQ: How do I develop against Confluence with Secure Administrator Sessions?​ Note: The Confluence XML-RPC and REST APIs are not affected by secure administration sessions.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.