Time Out: Login Sessions
When someone logs in to your Igloo, they create a login session. How long these sessions last, and whether they're customizable is probably one of the most common questions we receive in Support. It's documented in the Knowledge Base, but there are a lot of particulars to your members' sessions that are worth understanding, as well as a new feature in our next release that can affect them.
Timing out
Timeouts happen when your session is idle for three hours and twenty minutes. That means no typing or navigation at all, or that timer starts over again. At the three hour mark, a countdown will appear on the page, with a button to keep your session alive. When that clock reaches zero, the session expires in all tabs in that browser.
Sign in settings
The Remember Me option on the login page doesn't affect your immediate session, but lets the platform know that when your session has expired in that browser, and you visit an area of your digital workplace, it should start a new session for you without prompting a login.
Signing out ends your session, but default browser settings will retain the session cookie for twenty minutes typically, so navigating back to your digital workplace will log you in and start a new session automatically.
Single Sign On
The Igloo platform uses SAML 2.0 for Single Sign On, letting you manage people's credentials with a separate identity provider like Microsoft Azure, or Google. This also won't affect session timeouts, though. Instead, the identity provider will maintain its own session, and log people back in based on that session timer. If your session with Igloo has expired, but you still have one with Google, the next link you click in Igloo will log you in and start a new session.
What's changing
Tonight's release will add an option for Administrators that terminates the session cookie as soon as someone signs out, informing the browser that it should remove that token immediately, rather than waiting for an expiry. This can give you finer control of the nature of people's sessions, and is especially useful for compliance, as well as workplaces where people use shared machines.
For more information about what's in tonight's release in the release notes, and if you have any questions about sessions, you can ask a question in the Community area, consult the Knowledge Base, or attend our What's New in Igloo webinar on August 16.
6 Comments
I don't believe the session timer is 3 hours and 20 minutes. I just signed in about 45 minutes ago and when I came back to the page I was timed out. I've noticed this the past week or so - maybe longer but I've been out of the office frequently this month. Has something changed in late 2017 on the session timer?
...
Upon further poking around I found the session timer option setting....for 20 minutes. I have corrected that oddly short window.
Hi Eric,
You're absolutely right. This post was published before the session control settings were added in the October release. The default session timeout is 20 minutes of inactivity, and can now be configured for as little as one minute, or as much as one day.
Hi Jim and Eric,
Hope you are well.
Where do you go on the platform to change the duration of "Session Control Settings"
Thanks,
Sheila
Under the main Control Panel...
Membership / Sign In Settings
Configurable Session Timeout
Thanks Eric Profancik fir your help :)
Do session timeouts still work the same in the latest release? We are setup for SAML authentication and are trying to understand how timeouts are supposed to work. Our timeout values on the IDP do not seem to expire. IDP timeouts are set for 2 hours, however, the session does not log out until the Igloo session timeout expires.
Thanks!