Skip to content

Session management

Premium feature

Only customers on the enterprise tier can access this feature.

Customize session timeout and remember me settings to maintain optimal security and user experience in Asgardeo.

Configuration instructions

To adjust session management settings, follow these steps:

  1. On the Asgardeo Console, go to Login & Registration > Login Security > Session Management.

  2. Configure the Idle Session Timeout and Remember Me Period to suit your security policies.

  3. To enforce an absolute session lifetime, select Enable Maximum Session Timeout and configure the Maximum Session Timeout.

  4. Enable Skip terminating current session and token on password update to preserve the current session when users update their password.
  5. Click Update to save the changes.

Session Management Configuration

Parameters

Parameter Description
Idle Session Timeout Time in minutes before an inactive user session is automatically ended.
Remember Me Period Duration in minutes that the system will remember a user's session.
Enable Maximum Session Timeout When enabled, enforces an absolute maximum lifetime for user sessions regardless of user activity or a valid remember me token. This setting is disabled by default.
Maximum Session Timeout The maximum duration in minutes a user session can remain active. The default value is 43200 minutes (30 days). This setting is applicable only when Enable Maximum Session Timeout is selected.
Skip terminating current session and token on password update If enabled, the current session and token will NOT be terminated or revoked when the user updates their password.

Maximum session timeout

The maximum session timeout enforces an absolute upper bound on how long a user session can remain active. Unlike the idle session timeout, which resets on user activity, the maximum session timeout counts from the moment the session is created.

When both are configured, the following rules apply:

  • If the idle session timeout expires first, the session ends and the user must sign in again.
  • If the maximum session timeout expires first, the user must re-authenticate even if they have been continuously active.
  • The remember me feature does not extend a session beyond the maximum session timeout.

Important

When Enable Maximum Session Timeout is turned on, users must re-authenticate after the configured maximum session lifetime expires, even if the idle session timeout or the remember me period has not elapsed.