Change session timeout
important
By default, the session timeout is for 100 days.
This means that a user will get logged out only after 100 days of inactivity. To put this another way, if a user is active even once in a 100 days (after the access token expires), their session's lifetime is extended by another 100 days.
This value can be changed by:
- Changing the
refresh_token_validity
value (time in mins): Determines the overall session timeout.- The default is 100 days.
- Changing the
access_token_validity
value (time in seconds): Does not affect the overall session timeout, but affects how often session refreshing occurs.- The default is 1 hour.
- This time does not determine the user experience, but only the security of the overall session system.
- With Docker
- Without Docker
- With SaaS
docker run \
-p 3567:3567 \
-e REFRESH_TOKEN_VALIDITY=<Default: 144000> \
-e ACCESS_TOKEN_VALIDITY=<Default: 3600> \
-d registry.supertokens.io/supertokens/supertokens-<db name>
# You need to add the following to the config.yaml file.
# The file path can be found by running the "supertokens --help" command
refresh_token_validity: # Default 144000
access_token_validity: # Default 3600
- Navigate to your SuperTokens managed service dashboard, and click on the Edit Configuration button.
- In there, change the values of the following fields, and click on save.
refresh_token_validity: # Default 144000
access_token_validity: # Default 3600
security
We recommend keeping the access_token_validity
as small as possible because:
- If they are stolen, then token theft detection can only occur after the access token expires.
- If the session is revoked, and the user somehow still has their access token, they will be able to query the APIs until it expires (unless you switch on access token blacklisting).
caution
Setting access_token_validity
to over 400 days may disable session-refreshing in Chrome (and Chromium-based browsers), meaning that it will make sessions expire after 400 days with or without activity in those browsers.
This is a limitation added by Chrome. For more information, check here.