Good timeout periods vary widely according to the sensitivity of the app, one's own risk profile, etc., but some good guidelines are:
- 15 minutes for high security applications.
- 30 minutes for medium security applications.
- 1 hour for low security applications.
- What is the recommended session timeout?
- What are the Session management best practices according to OWASP?
- How long should a login session last?
- How do you implement session timeout?
What is the recommended session timeout?
Typical session timeouts are 15- to 45-minute durations depending on the sensitivity of the data that may be exposed. As the session timeout is approaching, offer users a warning and give them an opportunity to stay logged in.
What are the Session management best practices according to OWASP?
Session Management Best practices according to OWASP
Ensure that session inactivity timeout is as short as possible, it is recommended that the timeout of the session activity should be less than several hours. Generate a new session identifier when a user re-authenticates or opens a new browser session.
How long should a login session last?
It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications. On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity.
How do you implement session timeout?
Select System administration > Setup > System parameters to open the System parameters page. On the General tab, in the Session management section, enter a value in the Session inactivity timeout in minutes field. Select Save. If you set the value to greater than 30, you will be prompted to confirm your selection.