User session timeouts explained

End-user sessions with the Connect2id server have three types of associated timeouts, or limits:

  • Max session lifetime — the maximum time a session can live, regardless of how often the other timers are reset.

  • Max authentication lifetime — the maximum time that an authentication is valid for; the user will be prompted to re-authenticate after this timeout expires, while keeping the same session.

  • Max idle time — the maximum amount of time between OpenID authentcation requests, or other visits to the OpenID Provider, such as profile or account settings page, if that page is tied to the same session / cookie.

The session is automatically closed and purged by the Connect2id server once any one of these three timeout events occurs.

The three timeouts will typically have the following relationship:

max session lifetime > max auth lifetime > max idle time

So, for example, if you have 1 month, 1 week and 24h for the three timeouts, then a user has to login (or visit the IdP) at least once every day, else their session will expire due to inactivity. After one week the user will be asked to re-authenticate (e.g. reenter their password), and after a month the session will be terminated.

Setting the timeouts

The three timeouts are configured globally and can be overridden on a individual basis when a new session is created.

Note that the timeout unit is minutes!

To disable a particular timeout set its value to -1.

Disabling the auth timeout

If an authentication timeout is not required, you can disable it:

sessionStore.authLifetime = -1

Credit: Parts of this how-to have been contributed by a customer.

If you need help with configuring your session timeouts, contact Connect2id support.