<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00009hLT5sSAGOkta Classic EngineSingle Sign-OnAnswered2023-08-01T19:30:20.000Z2020-10-14T15:04:24.000Z2020-10-27T23:54:16.000Z

JacobD.07175 (Customer) asked a question.

October 14, 2020 at 3:04 PM
Understanding difference between User, App, and Authorization Server session lifetimes

Hello

 

We have 3 apps that seem to be creating unlimited sessions. The sessions have inactivity logout code built in, but if one closes a chrome tab without ending the session, the other 2 apps can be opened after the 15 minute session set up in Security > Auth > Default Policy (applies to all users).

 

In security > API > Auth servers (Figure 2), we have the session set to 30 minutes but we didn't think that was affecting anything.

 

We need SSO to have a 15 minute lifetime max for all apps. Some apps seem to create an infinite session.

 

We have set no authorization lifetime in the individual app settings.

 

What is the difference between these 3 okta settings and how can I resolve this issue?

 

Thanks!

 

Figure 1

/help/servlet/rtaImage?refid=0EM1Y000001KwLq

 

Figure 2

/help/servlet/rtaImage?refid=0EM1Y000001KwLW

 

 

 

  • 5 answers
  • 961 views

  • JacobD.07175 (Customer)

    Hi @tim.lopez1.5480328098306519E12 (Okta, Inc.)​ !

     

    These are custom OIDC applications. 2 are react applications handling auth client side with Okta sdk. The other is a c#.net app with server side auth calls which could not use SDK given age of app.

     

    If the issue has to do with any config it has to be the auth server lifetime and refresh duration. But I am not sure because we are shrinking those times down for testing and not getting anywhere.

     

    Best,

    Jake

    Expand Post

  • JacobD.07175 (Customer)

    Thanks @User15840121138297454909 (Okta)​ !

     

    I have a case open but we haven't solved it yet.

     

    I think some apps may be starting the session if there is a valid cookie but are not checking with Okta. My understanding is that it's common practice to not do an API call (as in the link you provided) if you can validate the encrypted cookie locally. I think we are just not checking the session lifetime in the cookie. Is there any good documentation on best practices when checking for an active session?

    Expand Post
This question is closed.
Loading
Understanding difference between User, App, and Authorization Server session lifetimes