Invalidate Session After OAuth Token Expiration [New in Security Center 2.0]

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use a system property to the secure value to prevent users from continuing to use a session via cookies after the OAuth token used to create the session expires.

    When an OAuth access token is issued, the response includes a cookie. Users can use this cookie to continue using a session even after the OAuth token used to create that session expires. Use the glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled system property to prevent this.

    Ensure the glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled system property exists in the System Properties [sys_properties] table, and is set to a value of true.

    More information

    Attribute Description
    Configuration name glide.authenticate.oauth.post.token.expiration.cookie_auth.disabled
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Fallback value false
    Category Session management
    Security risk
    • Severity score: 6.8
    • CVSS score: Medium
    • Security risk details: If an OAuth token is leaked or compromised, the lack of expiration would allow an attacker to use and extend the session via the created cookie. Malicious users can use sessions to access unauthorized resources and take unauthorized actions. Set this property to the secure value to eliminate this hidden session extension mechanism and reduce replay risk by enforcing token expiration.
    Dependencies and prerequisites None
    Functional impact
    Impact when set to true:
    • Sessions end immediately when the access token expires.
    • Cookies no longer refresh session validity.
    • Clients must use refresh tokens or re-authenticate to obtain a new access token.
    Potential Breakage:
    • Legacy clients or custom integrations relying on cookie-based session extension fail after token expiry.
    • Long-running jobs without token renewal logic may encounter 401 errors.
    What Continues to Work:
    • Standard OAuth flows with refresh tokens.
    • Properly designed integrations that renew tokens proactively.