Skip to main content

Tutorial: How to Change the Web Session Timeout

Abstract

This tutorial shows you how to configure the web session timeout settings for Access Server's web services.

Overview

When you authenticate to Access Server's Client Web UI or Admin Web UI, two configuration keys control how long your session stays active:

  • auth.sessiontoken.lifetime — the inactivity timeout. If a session is idle for longer than this value, it expires. The default is 600 seconds (10 minutes).

  • auth.sessiontoken.max_renewaltime — the absolute maximum session age. Even if a user is actively using the web interface and their session is being continuously renewed, they are forced to re-authenticate once this limit is reached. The default is 14400 seconds (4 hours).

These two keys work together. A typical session ends at whichever limit is reached first — inactivity timeout or maximum renewal time. Configure both to match your organization's security requirements.

Prerequisites

  • An installed Access Server.

  • Console access and the ability to get root access.

Step 1: Check the current setting

From the Admin Web UI:

  1. Sign in to the Admin Web UI.

  2. Select Advanced. (You may need to select Proceed in the caution message.)

  3. On the Config Editor tab, enter auth.sessiontoken.lifetime in the search box and press Enter.

  4. The current value displays. If it hasn't been modified, the default is 600.

  5. Clear the search box, enter auth.sessiontoken.max_renewaltime, and press Enter.

  6. The current value displays. If it hasn't been modified, the default is 14400.

From the CLI:

  1. Sign in to the console and get root privileges.

  2. Run the following commands to see the current settings:

    sacli ConfigQuery | grep -i "auth.sessiontoken.lifetime"
sacli ConfigQuery | grep -i "auth.sessiontoken.max_renewaltime"

    Note

    If no value is returned for either key, the server is using the default values.

Step 2: Change the session settings

Set the inactivity timeout

This sets how long a session can be idle before it expires.

From the Admin Web UI:

  1. On the Config Editor tab, select the edit icon for auth.sessiontoken.lifetime.

  2. Enter a new Integer value in seconds. For example, enter 300 for 5 minutes.

  3. Select Save and Restart.

From the CLI:

  • Set the inactivity timeout to five minutes (300 seconds):

    sacli --key "auth.sessiontoken.lifetime" --value "300" ConfigPut
sacli start

Set the maximum renewal time

This sets the absolute maximum age of a session, regardless of activity.

From the Admin Web UI:

  1. On the Config Editor tab, select the edit icon for auth.sessiontoken.max_renewaltime.

  2. Enter a new Integer value in seconds. For example, enter 28800 for 8 hours.

  3. Select Save and Restart.

From the CLI:

  • Set the maximum session age to 8 hours (28800 seconds):

    sacli --key "auth.sessiontoken.max_renewalttime" --value "28800" ConfigPut
sacli start

Optional: Reset to default value

Reset the inactivity timeout

From the Admin Web UI

  1. On the Config Editor tab, select the edit icon for auth.sessiontoken.lifetime.

  2. Select the Default setting checkbox.

    • The value reverts to 600.

  3. Select Save and Restart.

From the CLI:

  • Remove the key so it resets to its default:

    sacli --key "auth.sessiontoken.lifetime" ConfigDel
sacli start

Reset the maximum renewal time

From the Admin Web UI:

  1. On the Config Editor tab, select the edit icon for auth.sessiontoken.max_renewaltime.

  2. Select the Default setting checkbox.

    • The value reverts to 14400.

  3. Select Save and Restart.

From the CLI:

  • Remove the key so it resets to its default:

    sacli --key "auth.sessiontoken.max_renewaltime" ConfigDel
sacli start
In this section:

Access Server's web server used by clients to download OpenVPN Connect and configuration profiles.

Access Server's web server used by the administrator to configure the VPN server.