Authentication timeout
An important feature of the security provided by authentication is that it is temporary—a user must reauthenticate after logging out. Also if a user is logged on and authenticated for an extended period of time, it is a good policy to have them re-authenticate at set periods. This ensures a user’s session is cannot be spoofed and used maliciously for extended periods of time — re-authentication will cut any spoof attempts short. Shorter timeout values are more secure.
Security authentication timeout
You set the security user authentication timeout to control how long an authenticated connection can be idle before the user must authenticate again. The maximum timeout is 4320 minutes (72 hours).
To set the security authentication timeout – web-based manager:
- Go to User & Device > Authentication Settings.
- Enter the Authentication Timeout value in minutes. The default authentication timeout is 5 minutes.
- Select Apply.
SSL VPN authentication timeout
You set the SSL VPN user authentication timeout (Idle Timeout) to control how long an authenticated connection can be idle before the user must authenticate again. The maximum timeout is 259 200 seconds. The default timeout is 300 seconds.
To set the SSL VPN authentication timeout – web-based manager:
- Go to VPN > SSL-VPN Settings.
- Enable Idle Logout and enter the Inactive For value in seconds.
Password policy
- Select Apply.
i found out that there are some sessions last for days ( from 48 to 178 days) even though session timeout is set.
what could be the cause of this?