User session timeouts explained
max_life -- The maximum time a session can live.
auth_life -- The maximum time the user authentication is valid for. The Connect2id server will prompt the user to re-authenticate after this timeout expires, while keeping the session.
max_idle -- The maximum time between visits for login or consent to the authorisation endpoint, or visits to other pages, such as a profile or account settings page, if those pages use the session store API of the Connect2id server.
The Connect2id server will close a session when its max_life or max_idle times out.
The three timeouts must have the following relationship:
max_life >= max_auth >= max_idle
For example, if you have 1 month, 1 week and 24h for the three timeouts, then a user has to login (or visit the IdP) at least once every day, else their session will expire due to inactivity. After one week the user will be asked to re-authenticate (e.g. reenter their password). After a month the session will be terminated, regardless of when the other two timeouts were last reset.
Setting the timeouts
Example setting of a global maximum idle time of 3 days:
Note, the timeout unit is minutes!
How to disable a timeout
To disable a timeout set its value to
-1 (implies infinity).
To disable the maximum idle time and instead rely on the maximum session lifetime to bring an end to sessions:
If an authentication timeout is not required:
Disabling max_life expiration is not recommended.