Skip to content

Configuring IAM Sessions and Tokens

Tokens and Sessions

Tokens are digital credentials that represent the identity and permission of a user. Tokens enable stateless authentication since they contain all the necessary data related to a user session.

Types of tokens:

  1. Access token – issued upon successful authentication and used to handle authorization of users.
  2. Refresh token – used to obtain a new access token without re-login.
  3. ID token – used to obtain basic user details after authentication.

Once a user logs into the application successfully, IFS Identity and Access Manager (IAM) creates a session for them. This session remains active until it times out or until the user logs out explicitly. During this active session, the user can utilize it to access the application.

Managing Sessions and Tokens

It is crucial to establish expiration timeouts for every session and token to minimize the window of opportunity for attackers. Failing to do so significantly increases the risk of session-based attacks and session hijacking.

General session and token timeouts

  1. Session Idle Timeout – This defines how long a user session remains active without user interaction.
  2. Session Max Time – Maximum time a user session remains active.
  3. Access Token Lifespan - This defines how long an access token remains active.

IFS Cloud includes control of the session and token timeouts through the Sessions and Tokens page in the IAM Configurations.

NOTE:

  1. To Edit Sessions and Token Configurations, you must have AUTH_ADMINISTRATOR System Privilege.
  2. The units only determine the numeric value of the selected criteria (minute, hours, or days). Unit conversions are not supported.
Configuration Description Minimum Value Maximum Value Default Value
Access Token lifespan This value controls the lifetime of the token. 1 Minute 1 Hour 3 Minutes
Sessions Idle If a user is inactive for longer than this timeout, the user session is invalidated. (Access Token lifespan + 2) Minutes (Session Max - 2) Minutes 30 Minutes
Session Max The maximum time before a user session expires. (Sessions Idle + 2) Minutes 24 Hours 10 Hours
Offline Session Idle This setting is for offline access. The amount of time the session remains idle before revokes its offline token. This value is not configurable. 30 Days

Recommendations for session and token timeouts to help mitigate security risks like session hijacking and unauthorized access.

Access Token Lifespan: Shorter session intervals reduce the time an attacker has to use a valid session ID. Common timeouts ranges are 3-5 minutes for high-value applications and 15-30 minutes for low risk applications.

Both the session idle and max session timeout values are highly dependent on how critical the application and its data are.

  • Session idle timeout: Typically, 15-30 minutes of inactivity are recommended. If the user does not interact with the application within this timeframe, the session should automatically end.
  • Session Max timeouts: depend on how long a user usually uses the application. For instance, if the application is intended to be used by an office worker for a full day, an appropriate absolute timeout range could be between 8 and 10 hours.

To change only a particular IAM Clients' timeout refer to IAM Client Sessions.