Session expiry in Cumulocity


Cumulocity enforces a session timeout after a period of inactivity or when logging in the tenant. Is there a way to configure that timeout and extend it?


This solution works for Cumulocity versions newer than 10.11

By default, the session in Cumulocity times out after 15 days. However, you can control the session duration by configuring cookie or token expiration. The steps to configure this are different depending on the login method you use, here are all the possibilities:

1. Basic Auth only

  • Login has no built-in expiry mechanism, there is no session timeout and no session cookie. You need to explicitly state that the browser should remember you.

2. Basic Auth + SMS TFA

  • Using this method, your default timeout duration is 15 minutes.
  • You can configure it by using the tenant options.

3. OAuth internal

  • This method has built in expiry mechanisms – token and cookie lifespan, and you can configure them:
  • From version 10.6.6:
    • Category: oauth.internal
    • Cookie lifespan has the key value: basic-user.cookie.lifespan.seconds
    • You can set it by an HTTP POST with management credentials to {{url}}/tenant/options and using a body like:
"category": "oauth.internal",
  • Before
    • Cookie expiration configuration is not available.
    • The token’s lifespan category is: oauth.internal.token
    • The token’s key is: basic-user.lifespan.seconds

4. TFA

  • When TFA is enforced, the ‘Support user’ functionality does not work for subtenants. Connecting to the platform via tunnel does not work either, unfortunately.
  • The token expires after 2 weeks, meaning it is not possible to be continuously logged onto the platform for 2 weeks.
  • The session timeout configuration can be done in TFA settings {{url}}/apps/administration/index.html#/auth-configuration/basic_settings) with options “Limit token validity for x minutes” and “Limit verification code validity for y minutes.”

5. SSO

  • Cookie is valid for 2 weeks by default and is not configurable.
  • The access token that goes in is valid for a period, specified on the Authorization Server side and it can be configured by the cookie lifespan, it depends on the values from JWT that are returned from the authorization server.

Relevant articles: