Session timeouts
In the following, the lifetime and inactivity values you can define with Corbado session management are explained
Maximum lifetime for the short-term session
This value defines the lifetime of the short-term session (represented as JWT). Shortly before the timeout, the short-term session (represented as JWT) cookie is refreshed. This refresh uses the long-term session (represented as session ID and database entry) cookie.
| Minimum value | Default value | Maximum value |
|---|---|---|
| 1 minute | 30 minutes | 60 minutes |
We recommend to keep the value for the short-term session (represented as JWT) rather short, as users do not notice the refresh and payload of the refresh is relatively low.
Maximum lifetime for the long-term session
This value defines the lifetime of the long-term session (represented as session ID and database entry). In general, you can consider this value to be the overall session duration perceived of your users.
This value must be larger than the maximum lifetime for the short-term session (represented as JWT) and larger than the inactivity timeout for the long-term session (represented as session ID and database entry).
| Minimum value | Default value | Maximum value |
|---|---|---|
| 5 minutes | 30 days | 10 years |
Defining the length of the maximum lifetime of the long-term session (represented as session ID and database entry) depends a lot on your product and its users.
For greater user experience, a larger value is recommended, while a smaller value is better for security hygiene.
Inactivity timeout for the long-term session
This value defines the time that can pass without a user activity before the user is automatically logged out, regardless of whether the long-term session (represented as session ID and database entry) is still active.
Since the short-term session (represented as JWT) is validated client-side without any server requests to Corbado, the only way to measure activity is by updating it upon session refresh. For instance, no additional activity is recorded if the user simply closes the browser (without logging out) or experiences a loss of internet connection.
This value must be smaller than the maximum lifetime for the long-term session (represented as session ID and database entry) and larger than the maximum lifetime for the short-term session (represented as JWT).
| Minimum value | Default value | Maximum value |
|---|---|---|
| 5 minutes | 5 days | 1 year |
Defining the length of the inactivity of the long-term session (represented as session ID and database entry) depends a lot on your product and its users.
For greater user experience, a larger value is recommended, as users stay logged in even after a longer time of inactivity.
For better security hygiene, a smaller value is recommended.