Session timeout is set org-wide first, then optionally tightened per profile. The steps below cover both halves of the configuration plus the inspection and force-logout options for incident response.
- Open Session Settings
Go to Setup, Security, Session Settings. The page covers all session policies including the timeout picklists.
- Set the org-wide Timeout Value
Pick the inactivity timeout from the Timeout Value picklist: 15 minutes for the strictest control, 2 hours for the default balance, up to 24 hours for permissive workflows. The choice applies to every user not covered by a profile-level override.
- Set the Maximum Session Length
Pick the absolute timeout from the Maximum Session Length picklist: 1 hour for high-security contexts, 12 hours for the default, up to 24 hours for shift workers. The session ends at the absolute timeout regardless of activity.
- Override the timeout on sensitive profiles
Open the profile of a sensitive user population (System Administrator, Finance User, HR User). Edit the Session Settings section. Pick a tighter Session Timeout from the picklist. Profile overrides can only make the timeout tighter than the org default, not looser.
- Test by waiting out the timeout in a non-prod org
Log in as a representative user in a sandbox. Wait through the configured inactivity timeout without interacting. Confirm the warning popup appears at the expected time, and that the session ends correctly. Repeat with the absolute timeout to confirm the hard ceiling fires as expected.
The inactivity timeout in minutes or hours. The session expires after this period of no user interaction.
The absolute timeout from session start. The session ends at this ceiling regardless of activity.
Suppresses the 30-second-prior warning popup. Useful for kiosks; reduces friction for users who do not want the interruption.
- Profile-level session timeout can only make the org-wide timeout tighter, not looser. A profile cannot extend timeout beyond the org's Maximum Session Length, even for an exceptional user population.
- Lightning Experience sends a heartbeat every 30 seconds when the tab is visible, which can keep the inactivity timer alive longer than expected. Background tabs do not heartbeat, so a stale Lightning tab will still time out as designed.
- OAuth tokens issued by connected apps have their own session policy, independent of the org-wide timeout. An integration that breaks at unexpected times often has a misconfigured connected app session policy, not a Session Settings problem.