Itqualityassurance
OWASP recommends application builders to implement short idle time outs (2-5 minutes) for applications that handle high-risk data, like financial information. It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications.
- How long should a session timeout be?
- What is the recommended security setting for session timeout?
- What is session idle timeout?
- Why idle session timeout is important?
How long should a session timeout be?
Typical session timeouts are 15- to 45-minute durations depending on the sensitivity of the data that may be exposed. As the session timeout is approaching, offer users a warning and give them an opportunity to stay logged in.
What is the recommended security setting for session timeout?
Configure Session Timeout Settings
For portal users, even though the actual timeout is between 10 minutes and 24 hours, you can only select a value between 15 minutes and 24 hours. If you want to enforce stricter security for sensitive information, choose a shorter timeout period.
What is session idle timeout?
The session inactivity timeout setting represents the amount of time a user can be inactive before the user's session times out and closes. It only affects user browser sessions. You can set the values from 5 minutes to 60 minutes. This function has a default value of 30 minutes.
Why idle session timeout is important?
Use idle session timeout to configure a policy on how long users are inactive in your organization before they are signed out of Microsoft 365 web apps. This helps protect sensitive company data and adds another layer of security for end users who work on non-company or shared devices.
