Enforcing a maximum login duration

Edit online

You can enforce a maximum login duration to require users to re-authenticate after a specific period, regardless of the user activity. This setting is useful for organizations whose security policies prohibit persistent login sessions.

Before you begin

You must have the following role permissions:
  • Web UI > Settings Tab
  • Server Configuration > Edit Basic System Settings
  • Server Configuration > View Users

About this task

The Maximum Login Time setting overrides the Remember me configuration. After this setting is active, a countdown timer is displayed in the log-off menu. The system provides the following visual warnings:
  • A black banner appears when the session time remaining reaches 30 minutes.
  • The message changes to red when the time remaining drops below 5 minutes.

Procedure

  1. In the Web UI, navigate to Settings > System Settings > Security settings.
  2. In the Maximum Login time (hours) field, specify the number of hours users may remain logged in.
    Note: If the value is set to 0 or a negative number, the maximum login time enforcement is disabled.
  3. Save the settings.
  4. Log out and log back into the Web UI.
    Note: Changes to this setting only apply to new sessions. Existing active sessions remain unchanged until the user logs out and back in.

Results

The maximum login time is enforced. When the timer reaches zero, the following actions occur:
  • The server terminates the session immediately.
  • The client triggers the logout endpoint and refreshes to the login screen.
  • OIDC and single sign-on (SSO) sessions are redirected for full de-authentication.