Session lifetime

Session lifetime for PrivX users can be set in /opt/privx/etc/oauth-shared-config.toml. You can set PrivX to control refresh token validity and maximum session duration using the following:

  • By setting refresh_token_valid, PrivX will issue refresh tokens valid for that period which can be used to reissue access tokens.

  • By setting session_valid, PrivX will issue refresh tokens for the duration of the specified validity measured since login. If this is not set, refresh_token_valid effectively specifies the maximum session validity.

In the following example, a PrivX user will be logged out after 30 minutes if an access token is not renewed within the refresh token valid period, or after 24 hours from the initial login:

refresh_token_valid="30m"
session_valid="24h"

Automatic Logout in PrivX GUI

If a PrivX user is inactive in their GUI session, they can be automatically logged out after a specified duration. You can configure this in Settings→Authentication→User Session Inactivity→Session Inactivity Limit (Seconds). This will automatically log out GUI users if they are not actively interacting with any PrivX-GUI tab. Users will be logged out regardless of whether there is token activity, which can happen while tabs are open in the browser.

Session Inactivity Limit (Seconds)** minimum value is 60 seconds and its maximum value is restricted by the session-lifetime settings in /opt/privx/etc/oauth-shared-config.toml:

  • Maximum value is equal to session_valid if defined.

  • If session_valid is unset, maximum value is equal to the refresh_token_valid.

  • If both session_valid and refresh_token_valid are unset, the the maximum is 24 hours.

For common usage, we recommend the following settings in /opt/privx/etc/oauth-shared-config.toml:

refresh_token_valid="30m"
session_valid="24h"

With the previous settings and Session Inactivity Limit (Seconds) set to 3600 seconds, a PrivX GUI user will be logged out after an hour of inactivity if at least a tab is open (such that the access tokens get refreshed). Otherwise, if all PrivX tabs are closed, their session will expire when their access token expires or an hour of inactivty has passed.

As another example, you could have the following settings in /opt/privx/etc/oauth-shared-config.toml:

refresh_token_valid="15m"
# session_valid="24h"

If Session Inactivity Limit (Seconds) is set to 600 seconds, then a PrivX UI user would be logged out after 10 minutes of inactivity. However, if Session Inactivity Limit (Seconds) would be set to 3600 seconds, then a PrivX UI user would be logged out after 15 minutes of inactivity if at least one tab is open.

Was this page helpful?