Define active session timeout exception roles [New in Security Center 1.3]

  • Release version: Xanadu
  • Updated June 25, 2025
  • 1 minute to read

    • Use a system property to exempt roles from active session timeout limits.

    Use the glide.active.session.timeout.exception.roles system property to exempt roles from an active session timeout limit. The active session timeout feature helps ensure that a hijacked session cannot be used indefinitely without providing authentication information. It is best practice to only consider an active session timeout limit exception for internal integration account roles.

    Configure the glide.active.session.timeout.exception.roles property to roles which should be exempt from active session timeouts. This property value is a comma separated list of roles. The default value is edge_encryption,mid_server,maint.

    More information

    Attribute Description
    Configuration name glide.active.session.timeout.exception.roles
    Configuration type System Properties (/sys_properties_list.do)
    Data type string
    Recommended value edge_encryption,mid_server,maint
    Default value edge_encryption,mid_server,maint
    Fallback value edge_encryption,mid_server,maint
    Category Session management
    Security risk
    • Severity score: 6.4
    • CVSS score: Medium
    • Consider an active session timeout limit exception only for internal integration account roles. If a user is a victim of a session hijacking attempt, and has a role with an exception, attackers using that session can continue to authenticate to that session indefinitely. This may increase the impact of a security incident by enabling an attacker more time to make use of a hijacked account.
    Dependencies and prerequisites None