Controlling session timeouts

Overview

To prevent cross-site request forgery (CSRF), the system uses time limits on sessions and protects them with secure tokens.

The following is true by default for tokens:

• Tokens are valid for a maximum of 10 hours. After continuously using the web interface for 10 hours, the session expires, and you must log in again to renew it.

• Tokens remain valid for 2 hours without activity. If you are inactive for over 2 hours, the session expires, and you must log in again to renew it. Inactivity occurs when you stop interacting with the page, such as closing your tab or browser.

• Tokens are refreshed every 5 minutes. A user account deleted from the user interface will lose access after a maximum of 5 minutes.

Amplify-specific timeouts

Due to the nature of Amplify as a browser-based plugin, the rules for token validity and their durations depend on whether the browser is running or not:

• The browser is running:

  • The Amplify plugin is in use: Tokens last up to 10 hours.

  • The Amplify plugin window is closed: Tokens last up to 10 hours.

• The browser is not running: Tokens last up to 2 hours.

Setting token validity periods and session timeouts

Contact Nexthink Support to configure token validity periods and the maximum duration of sessions:

• Token maximum duration

  • Default value: 10 hours

  • Minimum value: Equals or bigger than the inactivity timeout

• Inactivity timeout

  • Default value: 2 hours

  • Minimum value: 5 minutes

  • Maximum value: 1825 days (not recommended)

Overriding session timeouts

You can grant users a special privilege that keeps them logged in indefinitely and bypasses the configured session timeout value.

For more information, refer to the Setting personal data and profile section in the Users documentation.

RELATED TASK

• Users