Users report additional friction during login due to frequent password prompts. Specifically, users are required to enter a password every two hours or immediately after closing and reopening a browser.

• Global Session Policy
• Application Sign-on Policy

A review of system logs and policy configurations indicates the following root causes for these behaviors:

• Frequent Password Prompts: The Application Sign-on Policy is configured to require password authentication at a short interval (for example, every 2 hours) since the last Global Session Policy (GSP) authentication.
• Session Expiry on Browser Close: The option to set persistent cookies is disabled in the GSP. Consequently, closing the browser ends the session. This is expected behavior designed to prevent security risks associated with cookie theft, as persistent cookies remain valid for the configured duration even after the browser is closed.
• App-Specific Timeouts: If an application session expires while the browser remains open, this is determined by the session length configured within the application itself. Okta does not control when an app expires a session; it only determines whether re-authentication is required once the session has ended.

To reduce the frequency of password prompts, perform the following steps to adjust the policy configuration:

1. Navigate to the Application Sign-on Policy.
2. Edit the relevant rule.
3. Increase the Re-authentication frequency setting to a longer duration.
4. Save the changes.

NOTE: 

• Users must authenticate again after closing a browser unless persistent cookies are enabled.
• When a user keeps a browser window open, the Okta session may refresh as they authenticate to different apps. However, if an individual app session expires, the user is challenged based on the Okta policy settings.