Enforce a limited session lifetime for all policies

Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.

The maximum time allowed time for this setting is 90 days. The default session lifetime is 2 hours. On the end-user dashboard, a countdown timer appears at the 5-minute mark of remaining session time.


HealthInsight: Why is this task recommended?

This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Enforce a limited session lifetime in your orgThe Okta container that represents a real-world organization. policies to reduce the risk of malicious third party access to an end user's applications (when an end-user session is active).

Security impact: High

End-user impact: Moderate

Okta recommends: A session lifetime of 2 hours or less.


End-user experience and impact

End usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session.



To set the session lifetime for a policy:

  1. From the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, navigate to Security > AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect..
  2. Click Sign On.
  3. Click Add Rule or Edit to modify an existing policy rule.
  4. Under Session expires after, set the session lifetime duration in minutes, hours, or days.

    Blacklisting an IP zone from the admin console.

  5. Click Create Rule or Save Rule once your changes have been made.


Related topics