The inactivity timeout governs when a user's login session is invalidated based upon inactivity. This article will highlight best practices that are implemented by default and how you can change the default if you need a more aggressive timeout.
What is considered activity?
Any API request would be considered activity. Page views, edits, adding an attachment, changing a content ID, creating a user, etc. The only activity not registered with the inactivity timeout would be logging out.
Why should I have an inactivity timeout?
An inactivity timeout will ensure that you aren't always logged into your MindTouch site if you you aren't actively using it. Without this setting, you will always be logged into MindTouch which can present the danger of someone else accessing MindTouch through your logged in account.
Best practice configuration
By default, your MindTouch site is configured to terminate a user's login session after 2 days of inactivity. This allows you to still be logged in as long as you interact with the MindTouch site within a 2 day period. When a cookie is set within MindTouch, it is by default set to 7 days. When activity is detected, the session is extended but is still capped at 7 days from when the cookie was originally set.
Learn more about security best practices by reviewing all of our Security documentation.