Hello,
I have a question from our IT security team. They would like to know if, once a user is authenticated in SP-7, the session automatically ends after a period of inactivity. Additionally, is there an option to customize this duration?
Thank you

Hi @Heryk, as we just setup SSO today, I have been thinking along similar lines. Below is my understanding, and happy to learn more.

SSO

Specify doesn’t send a logout ping to the identity broker (I believe in your case EntraID), and therefore the session length is quite detached (the user cannot clear their session with the broker via the SP7 logout button). Therefore, your session length should be set via the broker.

Log in flow:

User clicks SSO button → Request sent to identity broker → Identity broker already has session for user → Broker sends message back saying “good to go, let them in”

Specify

Based on the following line, the specify session should timeout on browser close.

I have tested this today and it seems to behave as expected, except if you use “restore previous session” (in my case in Firefox). I have no knowledge of why restoring the session that way works, but it does.

I believe there is a parameter in DJANGO called SESSION_COOKIE_AGE that could be set in that same file. Perhaps you could try setting that to some low value (like 5 mins) and test to see if it behaves as you expect. The default according to the DJANGO docs is 2 weeks.

Hi Mark, thank you for the helpful information!

I also understood that Specify doesn’t send a logout ping to the identity broker. The session duration is independent of the broker; the broker only handles authentication and doesn’t manage session length.

Following your suggestion, I added SESSION_COOKIE_AGE to my specify_settings.py file, and it worked. I was able to reduce the session duration from the default 2 weeks to a much shorter time.

However, this setting controls the total session duration. So, if a user remains active and the session reaches the SESSION_COOKIE_AGE limit, they are logged out.

I’m curious if there’s a way to log users out after a period of inactivity instead. For instance, if someone leaves their browser open at the end of the day, could we log them out after, say, 1 hour of inactivity? That would be a very helpful security feature.

Ah! Perhaps you could give this a try, looks to function with just one more settings parameter.

Hi @markp ,

Wow! It worked! Thank you!

Here are the details on the solution and my test setup… This may be useful for other Specify-7 users dealing with user session configuration.

In Django, sliding expiration typically refers to the behavior of session expiration. It resets the expiration time every time the session is accessed, which “slides” the expiration window forward. This allows users to remain logged in as long as they keep interacting with the site, instead of being logged out after a fixed time.

To enable this behavior in Django:

Set SESSION_COOKIE_AGE This defines the duration (in seconds) for how long a session cookie remains valid. The default is 1209600 seconds (2 weeks).

Set SESSION_SAVE_EVERY_REQUEST = True : By enabling this, Django will save the session on every request, effectively resetting the expiration timer every time the session is accessed.

My Example Test Configuration:

# In specify_settings.py

SESSION_COOKIE_AGE = 90 # Session will expire in 1.5 minute (90 seconds) of inactivity

SESSION_SAVE_EVERY_REQUEST = True # Reset session expiration with each request

In this setup, the session expires after 1.5 minute of inactivity, but every request made within that window will reset the countdown, keeping the session alive as long as the user interacts with the site regularly.