Customize session timeout settings

The Command Platform and Rapid7 products have a default idle session timeout of 30 minutes, but you may have policies or use cases at your organization that make a shorter or longer idle session timeout more practical. If that’s the case, you can customize idle session timeout settings from the Command Platform.

Before you begin

  • Idle session timeout is the amount of time a user can remain idle before the session is automatically ended or “expired.” After the session expires, the user must log in again.
  • Only Platform Administrator users can edit an organization’s idle session timeout settings.
  • All users receive a 5-minute session timeout warning before their session expires.
  • The Open Web Application Security Project (OWASP) cites common session timeout ranges of 2-5 minutes for high-value applications and 15-30 minutes for low-risk applications. If you want more details about session timeouts, we recommend you check out OWASP’s Session Management Cheat Sheet: https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet.html

InsightVM idle session timeout settings

For any users logged into InsightVM, idle session timeout settings established on the on-premise console override any idle session timeout settings at the Platform level.

Customize the default session timeout

The Default Session Timeout set at the Platform level applies to all Command Platform and Rapid7 product users (except InsightVM users) unless they set a Personalized Session Timeout. The Default Session Timeout is initially 30 minutes, but you can increase or decrease this initial timeout setting to suit your organization’s policies and needs.

Changing your Default Session Timeout

If you change the Default Session Timeout, the change is applied when a user next logs in. Any users that are logged in at the time of the change retain the session timeout as defined at the time of their login.

To change the Default Session Timeout:

  1. From the left menu of the Rapid7 Command Platform Home page, click the Administration link.
  2. On the Settings page, go to Session Timeout.
  3. Select a new time from the Default Session Timeout dropdown list.

The Default Session Timeout setting on the Company Settings page

Enable and customize personalized session timeouts

The Personalized Session Timeouts feature enables Command Platform and Rapid7 product users to establish their own idle session timeout through their Profile Settings. If a user establishes their own idle session timeout, it overrides whatever Default Session Timeout is set. If a user does not establish their own session timeout, the Default Session Timeout still applies.

For users to have the option of establishing their own idle session timeout, a Platform Administrator must enable Personalized Session Timeouts and select the idle timeout session options you want to make available to them.

To enable and customize Personalized Session Timeouts:

  1. From the left menu of the Rapid7 Command Platform Home page, click the Administration link.
  2. On the Settings page, go to Session Timeout.
  3. Click the toggle button to Enable Personalized Session Timeouts.
  4. Select the idle timeout sessions you want to make available to users.

Personalized Session Timeouts settings on the Company Settings page

Non-Expiring timeout session

Non-Expiring means that the user’s session remains active until they log out. No length of idle time results in session expiration when a user selects the Non-Expiring option. This may be appropriate if you want a session to remain active so you can continuously display Rapid7 product data on screens in a secure SOC for monitoring.

Removing Personalized Session Timeout options

If you remove a Personalized Session Timeout option, active sessions are ended for all users with that option selected in their Profile Settings and their idle session timeout returns to the default.

After you enable Personalized Session Timeouts, Rapid7 users can navigate to their Profile Settings and establish their own session timeout by choosing one of the options you made available to them.