We have two questions regarding short sessions on our self-hosted Retool instance.
What is the minimum session length we can set with SSO login? The documentation states "If you need to restrict session durations further, you can reduce this to 12 hours," but the configuration allows setting it to 60 minutes (which is what we need). However, we're seeing inconsistent behavior: some users remain logged in seemingly for days, while others report being logged out much more frequently than expected.
What constitutes session activity, and does activity extend the session? Will users be logged out exactly 60 minutes after login, even if actively using Retool? We have reports of users being logged out after just 15-20 minutes, and we're unsure if this could be related to multiple tabs, whether activity resets the timer, etc.
The documentation seems lacking in this area. Our goal is 60-minute sessions that extend with activity, or at minimum, prompt users to extend their session before timing out.
Here is the relevant configuration on our on-prem instance:
USE_SHORT_SESSIONS="true"
(Default: "false")
Set to true if you want to enable short sessions. This requires users to log in every 12 hours (default is 1 week if this is not enabled, which gets extended at each login). This works with SSO as well.
SESSION_DURATION_MINUTES="60"
Hi @cardouken, I believe the minimum session duration that you can set is 10 minutes long, and the max is 30 days. The documentation about reducing it to 12 hours is referencing the short session option.
The short sessions as they exist now should last for the duration that you set, and aren't affected by user activity. So a user would have to login again every 60 minutes regardless of activity, so it's possible to login, work on something else for 50 min, and then come back to retool and lose your session after 10 minutes.
Maybe the short session option is interfering with your custom session length? Try having short sessions set to OFF while still having your user session duration set to 60 minutes.
Hi @Mike_M, ok, we’ll try it without short sessions enabled to see if that will work. But then I’m not entirely sure what the short session option does exactly? I thought that would have to be enabled for the session duration value to take effect, but it it works without, then the short sessions option seems redundant?
Also I assume there’s no way for us to configure or write something up ourselves to allow users to extend their session? We unfortunately need the 1hr session limit, but it can be very disruptive if someone is in the middle of filling out a long form and then gets logged out halfway through without the option to extend and not even a warning.
Those are all fair questions. Ultimately, I've heard that the user specified session duration should just override the short session boolean, but I also heard that the short session has that automatic logout issue. I was thinking that maybe by having both on you were still getting the automatic logout from the short session, but if the user session works the same way then you'll still get automatically logged out.
I found a ticket of another customer having this issue 10 months ago so I'm in the process of tracking that down and seeing if there was any resolution to it. I'll let you know if I find anything useful!