Session and token duration

Edit online

You can configure settings for your organization that govern session duration and security token behaviors.

Parameters and definitions follow the procedure below.

Note: Administrator session duration parameters are not configurable.
Note: Numeric entries cannot begin with zero (0).

You can configure user session duration using the parameters in this section. Aspera on Cloud manages sessions using three types of tokens: a login token (also called an access token), a refresh token, and a transfer node token.

To configure settings for your organization, do the following:

  1. Go to Organization > Security.
  2. To enable a setting, select the checkbox; to disable a setting, clear the checkbox.
  3. Enter the intended duration.
  4. Click Save.

Access (login) token expiration

The login token expiration defines the maximum duration of an active session unless the refresh token duration (see previous parameter) is configured to extend the session. Unless refresh tokens are configured, users must re-authenticate when the login token expires.

  • Default duration is 1 hour.
  • Valid durations are 15 minutes to 24 hours.

Refresh token rotation

The refresh token defines the maximum duration that an active login session can be extended. This option is disabled by default for new organizations.

When a user logs in, Aspera on Cloud grants the user a login token (see the following parameter) and a refresh token. The refresh token provides an active user with subsequent login tokens, extending their active session for the duration you configure for this parameter.

  • When enabled, the user session is extended, in increments equal to the login token duration, for the duration you configure for this parameter. For example, if the login token expiration is set to 1 hour and the refresh token expiration is set to 1 day, Aspera on Cloud issues new login tokens to an active user each hour for 24 hours. Then the session expires and the user must reauthenticate.
    • Recommended duration is 7 days.
    • Valid durations are 1 day to 365 days.

Inactive session logout

You can configure a maximum duration for inactive sessions. This option is disabled by default for new organizations.

  • When enabled, an inactive session is automatically logged out after the duration you configure.
    • Recommended duration is 1 hour.
    • Valid durations are 15 minutes to 7 days.
  • When disabled, user sessions are never logged out due to inactivity.

Transfer token expiration

The transfer node token expiration defines the maximum duration of authorized activity on the transfer node. This token, with the duration you configure here, is issued/reissued automatically when the login token is issued/reissued.

Note: You must set the transfer node token expiration duration longer than the login token expiration duration. Set the transfer node token duration to match your organization's longest transfer durations.
  • Default duration is 12 hours.
  • Valid durations are 1 hour to 14 days.