User session timeouts explained

End-user sessions with the Connect2id server have three types of associated timeouts, or limits:

  • Max session lifetime — the maximum time a session can live, regardless of how often the other timers are reset.

  • Max authentication lifetime — the maximum time an authentication is valid for; the user will be prompted to re-authenticate after this timeout expires, while keeping the same session.

  • Max idle time — the maximum amount of time between OpenID authentication requests, or other visits to the OpenID Provider, such as profile or account settings page, if those query the same session / cookie via the session store API (GET and PUT operations).

The session is automatically closed and purged by the Connect2id server once any one of these three timeout events occurs.

The three timeouts will typically have the following relationship:

max session lifetime > max auth lifetime > max idle time

So, for example, if you have 1 month, 1 week and 24h for the three timeouts, then a user has to login (or visit the IdP) at least once every day, else their session will expire due to inactivity. After one week the user will be asked to re-authenticate (e.g. reenter their password), and after a month the session will be terminated.

Setting the timeouts

The three timeouts are configured globally and can be overridden on a individual basis when a new session is created.

Note that the timeout unit is minutes!

To disable a particular timeout set its value to -1.

Disabling the auth timeout

If an authentication timeout is not required, you can disable it:

sessionStore.authLifetime = -1

If you need help with configuring your session timeouts, contact Connect2id support.