The idea is:
To have a session timeout setting where users are force to log back in after a desired time has elapsed.
My use case:
Complying with internal compliance requirements.
I think it would be beneficial to add this because:
it would improve the security posture of the product.
Are you willing to work on this?
I do not have the coding experience to implement this.
Hey @Hidden_Squid I’m pleased to say we’ve now added support for setting a custom session timeout as of version 1.26.0. We’ve introduced two new environment variables to configure this which are:
N8N_USER_MANAGEMENT_JWT_DURATION_HOURS - This sets the expiration for the JWTs in hours.
N8N_USER_MANAGEMENT_JWT_REFRESH_TIMEOUT_HOURS - This controls how many hours before the JWT expires to automatically refresh it.
For more details on how to configure these and other variables, check out the environment variables docs.
Thanks so much! Quick question on this - am I able to set it to minutes or is the minimum session duration 1 hour?
No problem! We default to hours but you can indeed set this to minutes too. For example 0.5 for 30mins or 0.25 etc and you can get more granular than that if needed too.
Let us know if you have any other questions on that.
That’s great! Appreciate the info. Last question, is this inactivity based or just overall time before re-auth is needed? Thanks again
Apologies for the delay @Hidden_Squid I missed this before. This depends a little on what you set for duration and refresh variables to. For example, if you set N8N_USER_MANAGEMENT_JWT_REFRESH_TIMEOUT_HOURS to -1, this would mean auth will always expire after the time you set for N8N_USER_MANAGEMENT_JWT_DURATION_HOURS. Otherwise, if you had N8N_USER_MANAGEMENT_JWT_REFRESH_TIMEOUT_HOURS set to 1 hour and a user makes a request in n8n 1 hour before auth is due to expire, the token would be refreshed.