When a user creates a New JIRA Connection, JIRA Server URL, username and passwords are stored in the config.xml file located in the JIRAClient folder in the user's home directory (e.g. "%UserProfile%\JIRAClient\" or "C:\Users\%UserName%\JIRAClient\" on a Windows PC). The password is encrypted, however the file itself is not. The encryption algorithm is proprietary and is hard-coded into the application. From a practical perspective, if a config.xml file is moved to another PC, a user would be able to use it to login to JIRA instance without knowing the password itself. Therefore, the access to the folder and/or the file needs to be protected by the means of OS and network security.
Alternatively, a New JIRA Connection can be configured using WebLogin feature, available in JIRA Client v. 3.8 and later. When this feature is used, a user has an option of not storing passwords locally. Since JIRA Client will be using an embedded Web Browser to start JIRA session, user is required to enter username and password every time when initial session connection is established. In addition to keeping a password from being compromised this method allows to connect to JIRA instances that use complex authentication scenarios, e.g. Single Sign-On. Please keep in mind that when a web session is created, browser creates a cookie, that is used by the web server to identify the requests and ensure that they belong to the session. Therefore under certain circumstances the cookie may be used to gain unauthorized access to the current active session.
The behavior of an active JIRA session is determined by the settings of the Tomcat web server that JIRA Server runs on. However, JIRA Client can affect such behavior by keeping the session alive. When JIRA Client is running and if *Automatic Synchronization* is enabled, JIRA Client would be frequently and consistently checking JIRA server for changes, thus keeping the session alive. JIRA Client does not "log out" on it's own while it is running. So while it is running the web session will stay active. Currently there is no way to set a time out and force JIRA Client to log out automatically.
You can turn off *Automatic Synchronization* by right-clicking on the *Connection Node* in *NavigationTree* and going to *Get changes in background | Off*. That way unless a user synchronizes manually, JIRA Client will not connect to JIRA Server and the web session might expire on it's on, based on the Tomcat server settings.
Please read more on how to use WebLogin here: Connect with Web Browser