Session Lifetime

Session rules allow you to configure how user sessions are managed in your application through the CakeAuth dashboard. These settings help you maintain security while providing flexibility for different use cases.

Configuring Session Lifetime

All session configurations can be found in the CakeAuth dashboard:

• If you haven't, setup your account first
• Go to your environment Config sections
• In the left sidebar, choose Session and go to Session Lifetime.
• Adjust your session age and inactivity timeout settings

Available Settings

Session Maximum Age

Determines how long a session can remain valid after creation, regardless of user activity.

• Minimum: 1 minute
• Maximum: 1 year
• Default: 7 days

Inactivity Timeout (Optional)

Automatically invalidates sessions after a period of no activity counted since the last token refreshed.

• Minimum: 1 minute
• Maximum: 1 year
• Default: disabled

Important Notes

• The inactivity timeout cannot be longer than the maximum session age
• If the max age changes, and an existing session's age exceeded max age, session will be revoked (ie. existing sessions will not continue with their original configuration)

Our Recommendations

High-Security Applications

• Maximum Age: 4-8 hours
• Inactivity Timeout: 15-30 minutes

Standard Applications

• Maximum Age: 7-30 days
• Inactivity Timeout: Optional

Common Questions

Q: What happens to active users when I change these settings? A: If the max age changes, and an existing session's age exceeded max age, session will be revoked (ie. existing sessions will not continue with their original configuration)

Q: How is user activity detected? A: Any authenticated request to your application counts as activity and resets the inactivity timer.

Q: Can I temporarily disable these settings? A: You can set very long durations (up to 1 year) but settings cannot be completely disabled. The maximum session age is always required.