User session timeouts explained

End-user sessions with the Connect2id server have three types of associated timeouts, or limits:

  • Max session lifetime -- the maximum time a session can live, regardless of how often the other timers are reset.

  • Max authentication lifetime -- the maximum time an authentication is valid for; the user will be prompted to re-authenticate after this timeout expires, while keeping the same session.

  • Max idle time -- the maximum amount of time between visits for login or consent to the authorisation endpoint, or visits to other pages, such as a profile or account settings page, if those pages rely on the session store API of the Connect2id server.

The session is automatically closed and purged by the Connect2id server once any one of these three timeout events occurs.

The three timeouts will typically have the following relationship:

max session lifetime >= max auth lifetime >= max idle time

So, for example, if you have 1 month, 1 week and 24h for the three timeouts, then a user has to login (or visit the IdP) at least once every day, else their session will expire due to inactivity. After one week the user will be asked to re-authenticate (e.g. reenter their password), and after a month the session will be terminated.

Setting the timeouts

The three timeouts are configured globally and can be overridden on a individual basis when a new session is created.

Note, the timeout unit is minutes!

To disable a particular timeout set its value to -1 (implying infinity).

Disabling the auth timeout

If an authentication timeout is not required, you can disable it:

sessionStore.authLifetime = -1

If you need further help with configuring your session timeouts, contact Connect2id support.