Absolute session timeout is the maximum total lifetime of a session before it must end or require reauthentication, regardless of user activity. It matters because some sessions should not remain valid indefinitely even if they stay active.
What is Absolute Session Timeout?
This control sets a hard upper bound on how long a session may continue before the user must authenticate again. It helps limit the usefulness of stolen or quietly abused sessions that might otherwise remain valid for too long.
What Absolute Session Timeout Commonly Supports
Common use cases include high-risk administrative portals, financial workflows, sensitive cloud consoles, and systems where long-lived sessions create meaningful security concerns.
Absolute Session Timeout vs. Idle Timeout
Idle timeout depends on inactivity. Absolute timeout ends the session after a fixed total duration whether the session is active or not.
Frequently Asked Questions
Why is absolute session timeout important?
Because it limits how long a compromised session can remain useful in the best case for an attacker.
Should every system use the same value?
No. Higher-risk systems usually justify shorter maximum session lifetimes.
Related Cybersecurity Terms
