Skip to main content

Best Practice: Inactivity Timeout

This page applies to:MindTouch Responsive

The inactivity timeout governs when a user's login session is invalidated based upon inactivity. This article will highlight best practices that are implemented by default and how you can change the default if you need a more aggressive timeout.

What is considered activity?

Any API request would be considered activity.  Page views, edits, adding an attachment, changing a content ID, creating a user, etc.  The only activity not registered with the inactivity timeout would be logging out.

Why should I have an inactivity timeout?

An inactivity timeout will ensure that you aren't always logged into your MindTouch site if you you aren't actively using it. Without this setting, you will always be logged into MindTouch which can present the danger of someone else accessing MindTouch through your logged in account.  

Best practice configuration

By default, your MindTouch site is configured to terminate a user's login session after 2 days of inactivity. This allows you to still be logged in as long as you interact with the MindTouch site within a 2 day period. When a cookie is set within MindTouch, it is by default set to 7 days. When activity is detected, the session is extended but is still capped at 7 days from when the cookie was originally set.   

What's next

Read more about inactivity timeout. You can also learn more about security best practices by reviewing all of our security documentation.

  • Was this article helpful?