How To

How do I configure an idle timeout in IG/OpenIG (All versions)?

Last updated Nov 2, 2020

The purpose of this article is to provide information on configuring IG/OpenIG to automatically expire sessions after a set period of time.

2 readers recommend this article

Configuring idle timeout

You have two options for setting idle timeout in IG/OpenIG depending on your requirements:

  • JwtSession - if you use this object to store sessions, you can specify how long they are valid for. This is not strictly an idle timeout, but may be sufficient for your needs.
  • HTTP session - if you require true idle timeout functionality, then you must specify session timeout settings in the web application container.


If you are using the JwtSession object to store sessions, then you can use the sessionTimeout property to specify how long sessions are valid for:

  • In IG 5 and later, there is a persistentCookie property - this must be set to true to create persistent cookies and then you should set sessionTimeout to the period of time for which the JWT session is valid. Once this time period is exceeded, the cookie will expire.
  • In OpenIG 4, cookies are always persistent, which means you just need to set the sessionTimeout property.

See Configuration Reference › JwtSession for further information including valid duration settings for the sessionTimeout property.

HTTP session

If you want true session idle timeout, you need to set the <session-timeout> property in either the web application container configuration file (global setting) or in the web.xml file (located in the WEB-INF directory) for the IG/OpenIG web application; this setting overrides the global setting.

For example, to set the timeout to 60 minutes:

<session-config> <session-timeout>60</session-timeout> </session-config>

The required global configuration file varies according to which container you use:

  • Apache Tomcat™ - web.xml (located in the /path/to/tomcat/conf/ directory).
  • Jetty® - webdefault.xml (located in the /path/to/jetty/etc/ directory).
  • JBoss® - web.xml (located in the server/<profile>/deploy/jboss-web.deployer/conf/ directory).

Automatic logout

There are no session expired triggers in IG/OpenIG that can automatically log you out of an associated application once the session expires. One possible solution would be to call the logout endpoint on the other application every time a user arrives at IG/OpenIG without a valid session; however, if this requires tokens or other values that IG/OpenIG won't have access to (because the user's session has expired or does not exist) then this will not be possible.

See Also

Installing and configuring IG/OpenIG

Java Session Timeout

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.