How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I configure an idle timeout in IG (All versions)?

Last updated Jun 8, 2021

The purpose of this article is to provide information on configuring IG to automatically expire sessions after a set period of time.

2 readers recommend this article

Configuring idle timeout

You have two options for setting idle timeout in IG depending on your requirements:

  • JwtSession - if you use this object to store sessions, you can specify how long they are valid for. This is not strictly an idle timeout, but may be sufficient for your needs.
  • HTTP session - if you require true idle timeout functionality, then you must specify session timeout settings in the web application container.


If you are using the JwtSession object to store sessions, you can use the sessionTimeout property to specify how long sessions are valid for:

  1. Set the persistentCookie property to true to create persistent cookies.
  2. Set sessionTimeout to the period of time for which the JWT session is valid. Once this time period is exceeded, the cookie will expire.

See JwtSession for further information including valid duration settings for the sessionTimeout property.

HTTP session

If you want true session idle timeout, you need to set the <session-timeout> property in either the web application container configuration file (global setting) or in the web.xml file (located in the WEB-INF directory) for the IG web application; this setting overrides the global setting.

For example, to set the timeout to 60 minutes:

<session-config>        <session-timeout>60</session-timeout>     </session-config>

The required global configuration file varies according to which container you use:

  • Apache Tomcat™ - web.xml (located in the /path/to/tomcat/conf/ directory).
  • Jetty® - webdefault.xml (located in the /path/to/jetty/etc/ directory).
  • JBoss® - web.xml (located in the server/<profile>/deploy/jboss-web.deployer/conf/ directory).

Automatic logout

There are no session expired triggers in IG that can automatically log you out of an associated application once the session expires. One possible solution would be to call the logout endpoint on the other application every time a user arrives at IG without a valid session; however, if this requires tokens or other values that IG won't have access to (because the user's session has expired or does not exist) then this will not be possible.

See Also

Installing and configuring IG

Java Session Timeout

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.