Enforce a limited session lifetime for all policies

Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.

The maximum time allowed time for this setting is 90 days. The default session lifetime is 2 hours. On the end-user dashboard, a countdown timer appears at the 5-minute mark of remaining session time.


HealthInsight: Why is this task recommended?

This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Enforce a limited session lifetime in your org policies to reduce the risk of malicious third party access to an end user's applications (when an end-user session is active).

Security impact: High

End-user impact: Moderate

Okta recommends: A session lifetime of 2 hours or less.


End-user experience and impact

End users using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session.



To set the session lifetime for a policy:

  1. From the admin console, navigate to Security > Authentication.
  2. Click Sign On.
  3. Click Add Rule or Edit to modify an existing policy rule.
  4. Under Session expires after, set the session lifetime duration in minutes, hours, or days.

    Blacklisting an IP zone from the admin console.

  5. Click Create Rule or Save Rule once your changes have been made.


Related topics