***
title: Session Timeouts
description: >-
Configure session timeout settings to enhance security and comply with
organizational policies.
------------------------
# Session Timeouts
Session timeout settings control how long users can remain logged into Gail before being automatically signed out. These settings help protect accounts from unauthorized access and ensure compliance with organizational security policies.
## Overview
Gail provides two types of session timeout controls:
1. **Inactivity Timeout** - Automatically logs out users after a period of inactivity
2. **Maximum Session Duration** - Requires re-authentication after a set time, regardless of activity
Both settings work independently to provide comprehensive session security.
## Accessing Session Timeout Settings
To configure session timeout settings:
1. Navigate to **Admin Settings** in your Gail dashboard
2. Select the **Security** tab
3. Locate the **Session Timeouts** section
Only administrators have access to security settings. Contact your workspace admin if you need to adjust these settings.
## Inactivity Timeout
### What It Does
The inactivity timeout automatically signs out users who have been idle for a specified duration. This protects accounts when users step away from their devices without manually logging out.
### How It Works
* Gail monitors user activity (clicks, keystrokes, page navigation)
* When no activity is detected for the configured period, a warning appears
* If the user doesn't respond to the warning, they're automatically logged out
* Users must log back in to resume their session
### Configuring Inactivity Timeout
1. Go to **Admin Settings** → **Security** → **Session Timeouts**
2. Locate the **Inactivity Timeout** setting
3. Enter the desired timeout duration (in minutes)
4. Click **Save Changes**
**Common Settings:**
* **15 minutes** - High security environments (financial services, banking)
* **30 minutes** - Standard business settings
* **60 minutes** - Relaxed environments with lower security requirements
* **Disabled** - No automatic logout based on inactivity (not recommended)
### Best Practices
* Set shorter timeouts (15-30 minutes) for workspaces handling sensitive data
* Consider your team's workflow patterns - shorter timeouts may interrupt long tasks
* Balance security needs with user productivity
* Notify your team before implementing stricter timeout policies
### Example Use Cases
**Banking Institution:**
```
Inactivity Timeout: 15 minutes
Reason: Regulatory compliance requires automatic logout to protect customer financial data
```
**Insurance Agency:**
```
Inactivity Timeout: 30 minutes
Reason: Balance security with agent productivity during long customer calls
```
**Financial Advisory Firm:**
```
Inactivity Timeout: 60 minutes
Reason: Advisors frequently switch between client calls and portfolio research
```
## Maximum Session Duration
### What It Does
Maximum session duration enforces periodic re-authentication, even if users remain actively using Gail. This ensures credentials are re-verified at regular intervals, reducing the risk of compromised sessions.
### How It Works
* A timer starts when a user logs in
* When the maximum session duration is reached, the user is automatically logged out
* This happens regardless of whether the user is actively using Gail
* Users must re-authenticate with their credentials to continue
### Configuring Maximum Session Duration
1. Go to **Admin Settings** → **Security** → **Session Timeouts**
2. Locate the **Maximum Session Duration** setting
3. Enter the desired duration (in hours)
4. Click **Save Changes**
**Common Settings:**
* **4 hours** - Very high security environments
* **8 hours** - Standard business day security
* **12 hours** - Extended work sessions
* **24 hours** - Minimal forced re-authentication
### Best Practices
* Align maximum session duration with your typical workday
* Consider time zones if your team is distributed globally
* Set to 8 hours for standard business day alignment
* Communicate the policy to avoid user frustration
### Example Use Cases
**Financial Services Firm:**
```
Maximum Session Duration: 8 hours
Reason: Compliance framework requires re-authentication twice per business day
```
**24/7 Call Center:**
```
Maximum Session Duration: 12 hours
Reason: Accommodate different shift lengths while maintaining security
```
**Small Business:**
```
Maximum Session Duration: 24 hours
Reason: Minimal disruption for small team with lower security requirements
```
## Combining Both Settings
For optimal security, use both inactivity timeout and maximum session duration together. They address different security scenarios:
### Recommended Combinations
**High Security Environment:**
```
Inactivity Timeout: 15 minutes
Maximum Session Duration: 8 hours
```
This configuration protects against both unattended devices and prolonged session exposure.
**Standard Business Environment:**
```
Inactivity Timeout: 30 minutes
Maximum Session Duration: 12 hours
```
Balances security with user convenience for typical business operations.
**Relaxed Environment:**
```
Inactivity Timeout: 60 minutes
Maximum Session Duration: 24 hours
```
Minimal interruption while still maintaining basic session security.
## User Experience
### Warning Messages
Before automatic logout, users see a warning:
* **Inactivity Warning:** "You've been inactive for \[X] minutes. You'll be logged out in 2 minutes unless you interact with the page."
* **Session Expiration Warning:** "Your session will expire in 5 minutes. Please save your work."
### What Happens on Timeout
When a timeout occurs:
1. User is immediately logged out
2. Any unsaved changes may be lost
3. User is redirected to the login page
4. A message explains why they were logged out
Remind users to save their work regularly, especially when configuring shorter timeout periods.
## Implementation Best Practices
### Planning Your Rollout
1. **Review Requirements** - Check if your industry or compliance framework mandates specific timeout settings
2. **Pilot Test** - Test settings with a small group before rolling out organization-wide
3. **Document Policies** - Create internal documentation explaining timeout policies
4. **Communicate Changes** - Notify your team before implementing new timeout settings
5. **Monitor Feedback** - Gather user feedback and adjust if settings are too disruptive
### Avoiding Common Pitfalls
**Too Aggressive Settings:**
* Inactivity timeout under 10 minutes may interrupt legitimate work
* Can cause user frustration and productivity loss
* Users may develop workarounds (auto-clickers) that defeat the security purpose
**Too Lenient Settings:**
* Timeouts over 2 hours may not adequately protect against unauthorized access
* May not satisfy compliance requirements
* Increases risk window for compromised sessions
**Not Testing Before Deployment:**
* Can lock out users unexpectedly
* May not account for specific workflows
* Can cause support tickets and productivity loss
## Compliance Considerations
Different compliance frameworks have specific session timeout requirements:
### PCI DSS (Payment Processing)
* Requires session timeout of 15 minutes or less for high-privilege accounts
* Standard accounts should timeout within 30 minutes
* Must re-authenticate after timeout
### SOC 2
* Requires documented session timeout policies
* Timeout settings must align with stated security policies
* Regular review of timeout effectiveness
### GDPR (Data Protection)
* No specific timeout requirements
* Timeouts should be part of "appropriate technical measures"
* Document as part of data protection impact assessment
### GLBA (Financial Services)
* Requires safeguards to protect customer information
* Session timeouts are part of access control requirements
* Must implement automatic logout for unattended sessions
* Document timeout policies in security program
### FINRA (Securities)
* No explicit timeout requirements, but expects reasonable security measures
* Timeout settings should align with firm's cybersecurity policies
* Document as part of Written Supervisory Procedures (WSP)
Consult with your compliance team to determine the appropriate timeout settings for your organization's specific requirements.
## Troubleshooting
### Users Complaining About Frequent Logouts
**Check:**
* Is inactivity timeout too aggressive? Consider increasing by 15-minute increments
* Are users working across multiple tabs? Activity in one tab may not count toward all sessions
* Do workflows involve long periods without interaction? (e.g., reviewing documents, phone calls)
**Solutions:**
* Increase inactivity timeout if security requirements allow
* Train users to periodically click or move mouse during long tasks
* Consider specific exceptions for certain user roles
### Users Not Being Logged Out as Expected
**Check:**
* Settings have been saved correctly
* No conflicting session management from SSO provider
* Browser extensions that may simulate activity
**Solutions:**
* Review and re-save timeout settings
* Check SSO provider session settings if applicable
* Test in incognito/private browsing mode
### Session Timeouts Not Working with SSO
When using Single Sign-On (SSO), timeout behavior may be controlled by your identity provider:
* Gail timeout settings apply to the Gail session only
* Identity provider may have its own session management
* Coordinate timeout policies between Gail and your IDP
## Viewing Active Sessions
To see currently active sessions:
1. Go to **Settings** → **Security** → **Active Sessions**
2. View all active sessions with details:
* Device and browser information
* IP address and location
* Login time
* Last activity time
3. Manually revoke sessions if needed
## Force Logout All Sessions
In case of security concerns, you can immediately end all active sessions:
1. Go to **Admin Settings** → **Security**
2. Click **Force Logout All Users**
3. Confirm the action
4. All users (except you) will be immediately logged out
Use force logout sparingly as it will interrupt all active work sessions across your organization.
## Related Settings
Session timeout settings work alongside other security features:
* **[Multi-Factor Authentication (MFA)](/platform/settings/security-settings#multi-factor-authentication-mfa)** - Adds verification step at login
* **[IP Address Restrictions](/platform/settings/security-settings#api-security)** - Limits access by location
* **[Password Policies](/platform/settings/security-settings#password-requirements)** - Controls password strength and rotation
## FAQ
### What happens to unsaved work when I'm logged out?
Unsaved changes may be lost when a session times out. Gail attempts to auto-save certain data, but we recommend saving your work regularly.
### Can I set different timeout settings for different users?
Currently, timeout settings apply organization-wide. Role-based timeout settings are planned for a future release.
### Do mobile apps have different timeout settings?
Mobile apps use the same timeout settings as the web application for consistency.
### Will API sessions also timeout?
API authentication tokens have separate expiration settings. Session timeouts only affect browser-based sessions.
### Can users override timeout settings?
No, timeout settings are controlled by administrators and cannot be overridden by individual users.
### Does activity in one browser tab extend my session in another tab?
Activity in any Gail tab will reset the inactivity timer across all tabs in the same browser session.
## Need Help?
If you have questions about configuring session timeout settings or need assistance determining appropriate policies for your organization, please contact our support team at [support@meetgail.com](mailto:support@meetgail.com).
## Next Steps
* [Security Settings](/platform/settings/security-settings) - Configure additional security controls
* [Team Management](/platform/settings/team-management) - Manage user access and roles
* [Audit Logging](/platform/settings/security-settings#audit-logging) - Review security events and session activity