Session Lifetime Limits

A session lifetime defines a session duration. Session lifetime is an important security feature because it prevents administrators from keeping sessions open indefinitely, leaving them vulnerable to unauthorized access. When you edit a session lifetime, you can change settings such as the maximum session lifetime, and how long a session can be idle before the system closes it.

Each time an administrator logs on to the Security Console, Operations Console, or Self-Service Console, the following sessions are created:

Up to ten administrators can be logged on at the same time.

You can create different sets of session attributes for the primary instance and the replica instance.

Logon Session

Logon Session settings control the lifetime for sessions that are abandoned or have not completed the authentication process. These sessions affect the following types of logon sessions:

  • Security Console (administrators)

  • Operations Console (administrators)

  • Self-Service Console (non-administrative)

  • Users who are authenticating through risk-based authentication (non-administrative)

The defaults for these settings are three minutes idle time-out and eight minutes of total lifetime.

EAP32 Session Lifetime

Extensible Authentication Protocol (EAP) Session settings control the initial session lifetime for EAP32 Sessions.

Console and Command API Session

The Console and Command API Session settings control the authenticated or active sessions for administrators in the web-based consoles or the command application programming interface (API). The default settings are 30 minutes idle time-out and 8 hours of total lifetime.

The Authentication Manager web-based administrative consoles are the Security Console and the Operations Console. The command API is used by programmers, web developers, or systems engineers responsible for developing custom software applications that interact with the Authentication Manager system. For information on the command API, see the RSA Authentication Manager Developer’s Guide.

Types of Session Lifetime Settings

Session settings apply to the logon pages for the web-based administrative consoles, the command API interface described in the RSA Authentication Manager Developer’s Guide, and the risk-based authentication (RBA) logon attempts by end users. When a session times out or reaches the maximum lifetime, the logon page is redisplayed, and the user must log on again.

You can configure the following settings for sessions:

  • Time-out. The length of time that a session can be inactive before being terminated. The default setting is 30 minutes.

  • Maximum Lifetime. The maximum length of an session. When the console session reaches its session lifetime, the session is terminated and the administrator is logged off, regardless of whether the session is active. The default setting is eight hours.

These settings are independent of session inactivity. For example, if a console and command API session lifetime is eight hours, an administrator is automatically logged off after eight hours, even if there have been no periods of inactivity during the session.

Only a Super Admin can modify the console and command API session settings.

Edit Session Lifetime Limit

When you edit a session lifetime, you can change settings such as the maximum session lifetime, and the amount of time a session can be idle before the system closes it.

Before you begin

You must be a Super Admin.


  1. In the Security Console, click Setup> System Settings.

  2. Under Console & Session Settings, click Session Lifetime.

  3. Click the session type that you want to edit, and select Edit, from the context menu.

  4. Under Session Lifetime Settings, do the following:

    1. Select Time out idle sessions, and enter the time-out duration, if you want to time out sessions after a period of inactivity.

    2. Select Limit session lifetime, and enter the maximum lifetime of a session.

  5. Click Save.