JIRA Client stores usernames and passwords When a user creates a New JIRA Connection, JIRA Server URL, username and passwords are stored in the config.xml file located in the JIRAClient folder JIRAClient folder in the user's home directory (e.g. "%userprofile%/%UserProfile%\JIRAClient/" \" or "C:\Users\%UserName%\JIRAClient\" on a Windows PC). The password is encrypted, however the file itself is not. The encryption algorithm is very simple and the file itself is not encrypted. If the file is not protected well by the other proprietary and is hard-coded into the application. From a practical perspective, if a config.xml file is moved to another PC, a user would be able to use it to login to JIRA instance without knowing the password itself. Therefore, the access to the folder and/or the file needs to be protected by the means of OS and /or network security, it can be used by anybody who has access to it to connect to JIRA.To our security conscious customers, we recommend .
Alternatively, a New JIRA Connection can be configured using WebLogin feature, available in JIRA Client v. 3.8 and later. This way JIRA Client will not be When this feature is used, a user has an option of not storing any login information locally, but rather . Since JIRA Client will be connecting to an active JIRA sessions managed by your a web browser, user can choose to enter username and password every time when a connection is established. Please keep in mind that if a user will select Remember my login on this computer check box, username and password may be stored by the browser itself. Also, while a session is active, browser creates a cookie file, that theoretically under certain circumstances may be used to gain unathorized access to the current active session.Please read more about this feature
The behavior of an active web browser JIRA session is controlled by the settings of the Tomcat web server that JIRA Server runs on. However, JIRA Client can affect the behavior of the web session. When JIRA Client is running and if *Automatic Synchronization* is enabled, JIRA Client would be frequently and consistently checking JIRA server for changes, thus keeping the session alive. JIRA Client does not "log out" on it's own while it is running. So while it is running the web session will stay active. Currently there is no way to set a time out and force JIRA Client to log out automatically.
You can turn off *Automatic Synchronization* by right-clicking on the *Connection Node* in *NavigationTree* and going to *Get changes in background | Off*. That way unless a user synchronizes manually, JIRA Client will not connect to JIRA Server and the web session might expire on it's on, based on the Tomcat server settings.
Please read more on how to use WebLogin here: Connect with Web Browser