Enforce a limited session lifetime for all policies

Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.

The maximum time allowed time for this setting is 90 days. The default session lifetime is two hours. On the end-user dashboard, a countdown timer appears at the five-minute mark of remaining session time.

HealthInsight task recommendation

Enforce a limited session lifetime in your org policies to reduce the risk of malicious third-party access to an end user's applications (when an end-user session is active).

Okta recommends

A session lifetime of two hours or less.

Security impact


End-user impact


End users using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session.

Set the session lifetime for a policy

  1. In the Admin Console, go to Security > Okta Sign-on Policy.
  2. Select an existing Sign-on Policy.
  3. Click Add Rule or Edit to modify an existing policy rule.
  4. Under Session expires after, set the session lifetime duration in minutes, hours, or days.
  5. Click Create Rule or Save Rule once your changes have been made.

Related topics

HealthInsight tasks and recommendations

Network zones

General Security

Sign-on policies and rules