Controlling session timeouts
Overview
To prevent cross-site request forgery (CSRF), the system uses time limits on sessions and protects them with secure tokens.
The following is true by default for tokens:
Tokens are valid for a maximum of 10 hours. After continuously using the web interface for 10 hours, the session expires, and you must log in again to renew it.
Tokens remain valid for 2 hours without activity. If you are inactive for over 2 hours, the session expires, and you must log in again to renew it. Inactivity occurs when you stop interacting with the page, such as closing your tab or browser.
This may be transparent to single sign-on (SSO) users if your SSO session is still valid because SSO sessions are configured directly in your Identity Provider.
Tokens are refreshed every 5 minutes. A user account deleted from the user interface will lose access after a maximum of 5 minutes.
Setting token validity periods and session timeouts
Contact Nexthink Support to configure token validity periods and the maximum duration of sessions:
Token maximum duration
Default value: 10 hours
Minimum value: Equals or bigger than the inactivity timeout
Inactivity timeout
Default value: 2 hours
Minimum value: 5 minutes
Maximum value: 1825 days (not recommended)
Long intervals make your Nexthink tenant vulnerable to CSRF attacks.
Overriding session timeouts
You can grant users a special privilege that keeps them logged in indefinitely and bypasses the configured session timeout value.
For more information, refer to the Setting personal data and profile section in the Users documentation.
RELATED TASK
Last updated