Hi Ivon van de Lagemaat, we implemented this setting and tried testing it by leaving Oragnize Space open in browser, after the default setting of 30 minutes when we click on a folder, the browser refreshes (like its getting a new session) and continues to work. We were expecting the user getting logged out and get prompted to log back in. Are we missing another setting somewhere?

Hi Ivon van de Lagemaat, we implemented this setting and tried testing it by leaving Oragnize Space open in browser, after the default setting of 30 minutes when we click on a folder, the browser refreshes (like its getting a new session) and continues to work. We were expecting the user getting logged out and get prompted to log back in. Are we missing another setting somewhere?

Hi Akheil Jain

It looks like there’s no way to force a user to log out without doing it manually.

A user will see the login page again in the following scenarios:

1. They log out manually.
2. They close and reopen their browser. This works because all authentication session cookies are deleted when the browser is closed.
3. Their authentication cookies for OrganizeSpace, AccessManagement, and possibly the Identity Provider expire.

The third scenario is likely what you’re looking for. You already know how to set the timeout for OrganizeSpace cookies. The cookie timeout for the Identity Provider depends on specific Identity Provider configuration.

However, the main issue is that the AccessManagement cookie timeout is set to 10 hours, and this cannot be changed via configuration files - it requires a code change. This is why a user doesn’t see the login page when their OrganizeSpace cookies expire. AccessManagement remembers the user (user auth session cookies) and does sign in automatically (Single Sign-On).

Hi Serhii

Thank you for the details on organize space session timeout, as you mentioned Access Management cookie timeout is set to 10 hours and it would be a code change. How would we go about making the code change to make it 4 hours? We have a internal security requirement, which doesn't allow sessions more than 4 hours.

I believe a new SRQ can be created.
The team responsible for AccessManagement can then investigate how easily these changes can be implemented and allocate the necessary time accordingly.