Enforce a limited session lifetime for all policies
Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.
The maximum time allowed time for this setting is 90 days. The default session lifetime is two hours. On the end-user dashboard, a countdown timer appears at the five-minute mark of remaining session time.
HealthInsight task recommendation
Enforce a limited session lifetime in your org policies to reduce the risk of malicious third-party access to an end user's applications (when an end-user session is active).
| Okta recommends |
A session lifetime of two hours or less. |
| Security impact |
High |
| End-user impact |
Moderate End users using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session. |
Set the session lifetime for a policy
- From the Admin Console navigate to Security > Okta Sign-on Policy.
- Select an existing Sign-on Policy.
- Click Add Rule or Edit to modify an existing policy rule.
- Under sSession expires after, set the session lifetime duration in minutes, hours, or days.
- Click Create Rule or Save Rule once your changes have been made.