Account Admin users are able to decrease the frequency with which their users need to enter a username and password (or authenticate with SAML). This action is performed in the Client Options section of the Account Manager Advanced tool.
Session Management Overview
When a user’s session expires, they are taken back to the login page and required to reauthenticate by logging in. This sometimes happens when the 24 time-to-live (TTL) is reached, and sometimes happens after the Refresh session timeout is reached.
Account Admins are not able to change the shorter access tokens that affect the TTL. Max session duration for this is still 24 hours, meaning that users could still potentially be required to reauthenticate, depending on their usage.
However, if the session timeout is made longer, then the user will be required to reauthenticate less frequently, and are less likely to have their work interrupted by authentication requirements.
Use Case Example
Below is an example of how a longer session timeout might work. A longer session timeout does not guarantee that a user will not need to re-authenticate for that time period, but it does make the user less likely to have their work interrupted.
In this example, an Account Admin has selected a session timeout frequency of 6 days.
- DAY 1: the user logs in at 7:00 AM by entering their credentials.
- DAY 2: the user starts usage at 6:55 AM. They are still logged in to the system, and the use triggers a silent refresh. At 7:00 AM, they are still working without interruption.
- DAY 3: the user doesn’t start until 7:05 AM. The system acknowledges that they do not have a valid access token, and they are required to enter their credentials and log in.
- DAYS 4-8: the user starts at 7:00 AM. Their access token was silently refreshed each day.
- DAY 9: the 6 day session timeout, which began with the login on day 3, expires. The user is required to log back in by entering their credentials.
Changing the Session Timeout
Account Admins can navigate to the Account Manager by clicking on their profile, selecting Manage My Account, and clicking Client Options from the left side menu. In this section, click on the Session Timeout field to adjust the timeout frequency.
By default, the session timeout is set to 24 hours. Account Admins can choose to lengthen the timeout time up to 90 days.
Best Practices
Session timeout frequencies should be a balance between convenience and security. Shorter session timeouts generally enhance security, because they log users out more quickly when they are inactive. However, longer session timeouts are less disruptive and more convenient for users, since they decrease the frequency of when users are required to log in.
Additionally, if you are using a SAML provider, the session timeout frequency should be matched to your SAML provider.
Comments
0 comments
Article is closed for comments.