Authorization Timeout
Inactivity timeout
By default, user authorization will expire after 60 minutes of inactivity, requiring the user to sign in again to continue using their sessions. This is configurable by changing the auth-timeout-minutes setting in /etc/rstudio/rserver.conf. For example, to sign users out after 20 minutes of inactivity instead:
/etc/rstudio/rserver.conf
auth-timeout-minutes=20This setting supersedes the auth-stay-signed-in-days setting discussed below in Stay signed in, as it provides additional security by ensuring that users that are not actively using the system do not stay signed in. However, if you wish to allow users to stay signed in for many days at a time and disable the authorization timeout completely, set auth-timeout-minutes to 0, which will cause the auth-stay-signed-in-days setting’s behavior to be used instead.
Whenever a user is signed out, the database will be updated to store recently logged out/invalidated cookies, preventing the use of credential replay attacks.
Stay signed in
Users have an option to stay signed in across browser sessions when using PAM or Google authentication methods. By default when choosing the stay signed in option users will remain signed in for 30 days. You can modify this behavior using the auth-stay-signed-in-days setting. For example:
/etc/rstudio/rserver.conf
auth-stay-signed-in-days=7This setting is deprecated in favor of the auth-timeout-minutes setting for additional security. See Inactivity timeout above for more information.
Note that for this setting to take effect, auth-timeout-minutes must be set to 0.
If you want to prevent users from being able to stay signed in, you can prevent the “Stay Signed In” option from being shown to them by using the auth-stay-signed-in setting. For example:
/etc/rstudio/rserver.conf
auth-stay-signed-in=0Setting this option to 0 will result in users being prompted to log in each time they start a new browser session (i.e., logins will only be valid as long as the browser process in which they originated in remains running).
Active timeout
This feature is in preview. Preview features are unsupported and may face breaking changes in a future release. Any issues found in the feature will be addressed during the regular release schedule; they will not result in immediate patches or hotfixes.
We encourage customers to try these features and we welcome any feedback via Posit Support, but we recommend that the feature not be used in production until it is in general availability (i.e., officially released as a full feature). To provide feedback, please email your Posit Customer Success representative or sales@posit.co and specify that you are trialing this feature.
By default, user authorization will only expire after some period of inactivity, as discussed above in Inactivity timeout. Some organisations have a policy that requires users to re-authenticate after a given time period, regardless of activity level. This time limit can be configured in Workbench by changing auth-active-timeout-minutes in /etc/rstudio/rserver.conf. For example, to force users to sign out after 24 hours:
/etc/rstudio/rserver.conf
auth-active-timeout-minutes=1440