What is Session Timeout in Power Pages?
Session Timeout defines the maximum duration a user can stay authenticated (logged in) to the portal before the session expires.
Inactivity Timeout refers to logging out a user if they remain idle (no activity) beyond a defined period.
These timeouts are important for:
- Enhancing security by minimizing unauthorized access.
- Complying with data protection regulations (like GDPR).
- Reducing session misuse especially in shared environments.
Key Terminology
| Term | Description |
|---|---|
| Session Timeout | Duration after which a session expires regardless of activity |
| Inactivity Timeout | Duration after which a session expires due to inactivity |
| Sliding Expiration | Extends the session expiration time if the user remains active |
| Token Lifetime | Duration for which an authentication token is valid (mainly for Azure AD logins) |
How Power Pages Manages Sessions
Power Pages leverages ASP.NET and Azure AD authentication models. The timeout settings are applied in different layers:
- Power Pages Site Settings
- Azure AD B2C / Identity Provider Settings
- Browser-level cookie/token expiration
🛠️ How to Configure Session Timeout
📍 1. Set Timeout in Power Pages Site Settings
You can define session timeout values through Site Settings in the Portal Management App.
Add or Modify the Following Site Settings:
| Name | Value | Description |
|---|---|---|
Authentication/SessionTimeoutEnabled | true | Enables custom session timeout settings |
Authentication/SessionTimeoutInMinutes | 20 | Sets inactivity timeout (e.g., 20 minutes) |
Authentication/SessionTimeoutType | Sliding or Fixed | Sliding resets timer on activity; Fixed does not |
Authentication/SessionTimeoutWarningInMinutes | 2 | Time before timeout to show a warning popup |
Authentication/SessionTimeoutRedirectUrl | /sign-in | Page to redirect the user to after timeout |
Steps to Configure:
- Open Portal Management App
- Go to Site Settings
- Add each of the above settings (if not already present)
- Save and Publish changes
2. Configuring Timeout in Azure AD B2C (if used)
If your portal uses Azure Active Directory B2C for login:
- Navigate to the Azure Portal
- Go to Azure AD B2C > User Flows or Custom Policies
- Adjust Access Token Lifetime and Refresh Token Lifetime in the Identity Experience Framework
Typical default values:
- Access token lifetime: 1 hour
- Refresh token lifetime: 14 days (with sliding window)
For stricter control, create a Token Lifetime Policy:
{
"TokenLifetimePolicy": {
"AccessTokenLifetime": "00:30:00",
"MaxInactiveTime": "00:20:00"
}
}
Then assign the policy to your app registration.
How the Timeout Warning Works
When Authentication/SessionTimeoutWarningInMinutes is set:
- A JavaScript modal/popup appears in the portal warning the user that their session is about to expire.
- Users can choose to stay signed in, which resets the timer (if
Slidingtype is used). - If no response, they are redirected after the full timeout.
Example: 30-Minute Session with Warning
| Setting | Value |
|---|---|
Authentication/SessionTimeoutEnabled | true |
Authentication/SessionTimeoutInMinutes | 30 |
Authentication/SessionTimeoutType | Sliding |
Authentication/SessionTimeoutWarningInMinutes | 5 |
Authentication/SessionTimeoutRedirectUrl | /sign-in |
Outcome:
- User is logged out after 30 minutes of inactivity
- At 25 minutes, a popup warns them
- If they click “Stay signed in”, the timer resets
Best Practices
- Use Sliding Timeout for better UX and session continuity.
- Use Fixed Timeout for highly secure apps or where auto-logout is required by compliance.
- Always show a warning popup to avoid data loss or user frustration.
- Combine with CAPTCHA and Web Role/Table Permissions for layered security.
- Customize the Redirect URL to lead users back to the login or home page.
Troubleshooting
| Problem | Solution |
|---|---|
| Timeout not applying | Ensure SessionTimeoutEnabled is true |
| Warning not showing | Check if SessionTimeoutWarningInMinutes is lower than total timeout |
| Immediate logout | Misconfigured token lifetime in Azure AD |
| Redirect not working | Confirm the URL path in SessionTimeoutRedirectUrl is valid |
Testing Timeout Behavior
- Login to your portal
- Stay idle for the defined time
- Observe the warning popup
- Either interact or wait for redirection
- Re-login and validate redirection
Final Notes
Session timeout control in Power Pages allows you to balance user experience and security compliance. When configured correctly, it:
- Protects user sessions
- Reduces unauthorized access risks
- Ensures compliance with enterprise or regulatory policies
It’s highly recommended for any authenticated or sensitive portal project.