User session timeouts explained

The sessions that end-users have with the Connect2id server have three kinds of timeouts, or limits:

  • max_life -- The maximum time a session can live.

  • auth_life -- The maximum time the user authentication is valid for. The Connect2id server will prompt the user to re-authenticate after this timeout expires, while keeping the session.

    For requests received at the authorisation endpoint where the user has an active session and its authentication time has expired the Connect2id server will trigger an authentication prompt.

  • max_idle -- The maximum time between visits for login or consent to the authorisation endpoint, or visits to other pages, such as a profile or account settings page, if those pages use the session store API of the Connect2id server.

The Connect2id server will close a session when its max_life or max_idle times out.

Timeout relationship

The three timeouts must have the following relationship:

max_life >= max_auth >= max_idle

For example, if you have 1 month, 1 week and 24h for the three timeouts, then a user has to login (or visit the IdP) at least once every day, else their session will expire due to inactivity. After one week the user will be asked to re-authenticate (e.g. reenter their password). After a month the session will be terminated, regardless of when the other two timeouts were last reset.

Setting the timeouts

The three timeouts are configured globally and can be overridden on a individual basis when a new session is created.

Example setting of a global maximum idle time of 3 days:

sessionStore.maxIdleTime=4320

Note, the timeout unit is minutes!

How to disable a timeout

To disable a timeout set its value to -1 (implies infinity).

To disable the maximum idle time and instead rely on the maximum session lifetime to bring an end to sessions:

sessionStore.maxIdleTime=-1

If an authentication timeout is not required:

sessionStore.authLifetime-1

Disabling max_life expiration is not recommended.