# Controlling session timeouts

## Overview <a href="#controllingsessiontimeoutsintheportal-classic-overview" id="controllingsessiontimeoutsintheportal-classic-overview"></a>

To prevent cross-site request forgery (CSRF), the system uses time limits on sessions and protects them with secure tokens.

The following is true by default for tokens:

* Tokens are valid for a maximum of 10 hours. After continuously using the web interface for 10 hours, the session expires, and you must log in again to renew it.
* Tokens remain valid for 2 hours without activity. If you are inactive for over 2 hours, the session expires, and you must log in again to renew it. Inactivity occurs when you stop interacting with the page, such as closing your tab or browser.

{% hint style="info" %}
This may be transparent to single sign-on (SSO) users if your SSO session is still valid because SSO sessions are configured directly in your Identity Provider.
{% endhint %}

* Tokens are refreshed every 5 minutes. A user account deleted from the user interface will lose access after a maximum of 5 minutes.

### Amplify-specific timeouts <a href="#controllingsessiontimeoutsintheportal-classic-overridingsessiontimeouts" id="controllingsessiontimeoutsintheportal-classic-overridingsessiontimeouts"></a>

Due to the nature of Amplify as a browser-based plugin, the rules for token validity and their durations depend on whether the browser is running or not:

* The browser is running:
  * The Amplify plugin is in use: Tokens last up to 10 hours.
  * The Amplify plugin window is closed: Tokens last up to 10 hours.
* The browser is not running: Tokens last up to 2 hours.

{% hint style="warning" %}
You cannot increase session duration by checking the *Keep me signed in* setting when logging into Nexthink.
{% endhint %}

## Setting token validity periods and session timeouts <a href="#controllingsessiontimeoutsintheportal-classic-settingtokenvalidityperiodsandsessiontimeouts" id="controllingsessiontimeoutsintheportal-classic-settingtokenvalidityperiodsandsessiontimeouts"></a>

Contact Nexthink Support to configure token validity periods and the maximum duration of sessions:

* Token maximum duration
  * Default value: 10 hours
  * Minimum value: Equals or bigger than the inactivity timeout
* Inactivity timeout
  * Default value: 2 hours
  * Minimum value: 5 minutes
  * Maximum value: 1825 days (not recommended)

{% hint style="warning" %}
Long intervals make your Nexthink tenant vulnerable to CSRF attacks.
{% endhint %}

## Overriding session timeouts <a href="#controllingsessiontimeoutsintheportal-classic-overridingsessiontimeouts" id="controllingsessiontimeoutsintheportal-classic-overridingsessiontimeouts"></a>

You can grant users a special privilege that keeps them logged in indefinitely and bypasses the configured session timeout value.

For more information, refer to the *Setting personal data and profile* section in the [Users](https://docs.nexthink.com/platform/user-guide/administration/account-management/accounts) documentation.

***

#### RELATED TASK

* [Users](https://docs.nexthink.com/platform/user-guide/administration/account-management/accounts)