The Web module uses a configurable timeout value to determine how long an authentication cookie remains valid after a successful login. This timeout is not based on user inactivity. Additional concepts such as occasional‑user licence timeout and the .NET <forms timeout> setting behave differently and should not be confused with one another. This article explains each timeout type and how they behave.

Authentication

Authentication timeout is controlled by a setting at the server, in the file WebUI\Web.config:

<add key="timeout" value="1440" />

The value controls how long a user can remain logged in, before having to log in again.  It is not an inactivity timeout.

This can be set to 0 in order to force the user to log in each time they start their browser.  

• Users of on-prem systems can read how this is configured in this article:  How to force a WebUI user to log in after a browser restart – Ideagen Internal Audit • Aura | Help | Ideagen Luminate.
• Users of hosted systems wanting to have this setting changed should raise a ticket with the Support team.

Occasional user licence timeout

Some users are licensed as occasional, meaning their licence is temporarily taken from a shared pool when they log in.

• If an occasional user remains idle for 15 minutes, their licence is automatically returned to the pool.
• This duration is hard-coded and cannot be changed.

This process only affects licence allocation, not authentication or login state.

Inactivity Timeout

The application does not support inactivity timeout.

This means that users are not automatically logged out due to inactivity.

.NET <forms timeout> Setting: a clarification

The Microsoft .NET Framework includes a configuration option:

<forms timeout="x" />

• Note that this is not an inactivity timeout.
• It defines how long a user can work in the system before needing to log in again, based on cookie lifetime