Customize session timeout settings
The Insight Platform and Insight products have a default idle session timeout of 30 minutes, but you may have policies or use cases at your organization that make a shorter or longer idle session timeout more practical. If that’s the case, you can customize idle session timeout settings from the Insight Platform.
- Before you begin
- Customize the Default Session Timeout
- Enable and customize Personalized Session Timeouts
Before you begin
- Idle session timeout is the amount of time a user can remain idle before the session is automatically ended or “expired.” After the session expires, the user must log in again.
- Only Platform Administrator users can edit an organization’s idle session timeout settings.
- All users receive a 5-minute session timeout warning before their session expires.
- The Open Web Application Security Project (OWASP) cites common session timeout ranges of 2-5 minutes for high-value applications and 15-30 minutes for low-risk applications. If you want more details about session timeouts, we recommend you check out OWASP’s Session Management Cheat Sheet: https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet.html
InsightVM idle session timeout settings
For any users logged into InsightVM, idle session timeout settings established on the on-premise console override any idle session timeout settings at the Platform level.
Customize the Default Session Timeout
The Default Session Timeout set at the Platform level applies to all Insight Platform and Insight product users (except InsightVM users) unless they set a Personalized Session Timeout. The Default Session Timeout is initially 30 minutes, but you can increase or decrease this initial timeout setting to suit your organization’s policies and needs.
Changing your Default Session Timeout
If you change the Default Session Timeout, the change is applied when a user next logs in. Any users that are logged in at the time of the change retain the session timeout as defined at the time of their login.
To change the Default Session Timeout:
- From the Insight Platform, go to Company Settings > Session Timeout.
- Select a new time from the Default Session Timeout dropdown list.
Enable and customize Personalized Session Timeouts
The Personalized Session Timeouts feature enables Insight Platform and Insight product users to establish their own idle session timeout through their Profile Settings. If a user establishes their own idle session timeout, it overrides whatever Default Session Timeout is set. If a user does not establish their own session timeout, the Default Session Timeout still applies.
For users to have the option of establishing their own idle session timeout, a Platform Administrator must enable Personalized Session Timeouts and select the idle timeout session options you want to make available to them.
To enable and customize Personalized Session Timeouts:
- In the Insight Platform, go to Company Settings > Session Timeout.
- Click the toggle button to Enable Personalized Session Timeouts.
- Select the idle timeout sessions you want to make available to users.
Non-Expiring timeout session
Non-Expiring means that the user’s session remains active until they log out. No length of idle time results in session expiration when a user selects the Non-Expiring option. This may be appropriate if you want a session to remain active so you can continuously display Insight product data on screens in a secure SOC for monitoring.
Removing Personalized Session Timeout options
If you remove a Personalized Session Timeout option, active sessions are ended for all users with that option selected in their Profile Settings and their idle session timeout returns to the default.
After you enable Personalized Session Timeouts, Insight users can navigate to their Profile Settings and establish their own session timeout by choosing one of the options you made available to them.