Skip to main content

Change session timeout

important

By default, the session timeout is for 100 days.

This means that a user will get logged out only after 100 days of inactivity. To put this another way, if a user is active even once in a 100 days (after the access token expires), their session's lifetime is extended by another 100 days.

This value can be changed by:

  • Changing the refresh_token_validity value (time in mins): Determines the overall session timeout.
    • The default is 100 days.
  • Changing the access_token_validity value (time in seconds): Does not affect the overall session timeout, but affects how often session refreshing occurs.
    • The default is 1 hour.
    • This time does not determine the user experience, but only the security of the overall session system.
 docker run \
-p 3567:3567 \
-e REFRESH_TOKEN_VALIDITY=<Default: 144000> \
-e ACCESS_TOKEN_VALIDITY=<Default: 3600> \
-d registry.supertokens.io/supertokens/supertokens-<db name>
security

We recommend keeping the access_token_validity as small as possible because:

  • If they are stolen, then token theft detection can only occur after the access token expires.
  • If the session is revoked, and the user somehow still has their access token, they will be able to query the APIs until it expires (unless you switch on access token blacklisting).
caution

Setting access_token_validity to over 400 days may disable session-refreshing in Chrome (and Chromium-based browsers), meaning that it will make sessions expire after 400 days with or without activity.

This is a limitation added by Chrome. For more information, check here.

Which frontend SDK do you use?
supertokens-web-js / mobile
supertokens-auth-react