Our company has implemented a policy that forces users to log out of all office applications every seven days. I'm curious about the necessity behind this. If we already have conditional access policies and multi-factor authentication (MFA) set up, is it really needed to log everyone out so frequently? I'm okay with MFA prompts, but having to sign out of everything seems extreme. Can someone explain what security benefits are actually gained from this policy?
4 Answers
Yeah, this seems like a standard session expiration policy. Many web apps kick you out after a week, even if you’re actively using them. It might be worth checking if there’s a session timeout setting that can be adjusted. For example, some platforms like GitLab have configurable session durations. Also, ensure that cookie settings on the browser aren’t scrolling back that limit. We made some adjustments on our end that really cut down on those weekly login annoyances!
Ugh, this sounds excessive! Microsoft even recommends a 90-day session length, and I recently moved my personal account to 30 days thinking that was better. Logging in every week is just a hassle—and it’s annoying to have to redo authentication across all my devices like Outlook and Teams. There has to be a better balance!
From what I understand, the weekly logout is meant to prevent token theft and session hijacking. That being said, a week feels a bit long for that concern. If it’s a big worry, wouldn’t logging out every 24 hours make more sense?
Our Chief Information Security Officer loves this policy too. While I can’t say I’m a fan, I see how it can help. With increasing man-in-the-middle attacks, it provides a safety net against attackers who manage to get into a user’s session. If someone takes over an account through clever phishing, having a shorter session time limits their access. Although, it can really complicate things, especially when all the devices in the office have to re-authenticate, which can be chaotic!
Totally agree! Shorter logout times could really help mitigate risk from stolen devices or tokens.