Home
IT Hub

Configuring Session Timeout in ServiceNow

Step-by-Step
Reco Security Experts
Updated
May 27, 2024
May 27, 2024

Configuring Session Timeout in ServiceNow: Enhancing Security and Efficiency

Session timeout refers to the period of inactivity after which a user’s session is automatically terminated, requiring re-authentication to access the system. This feature prevents unauthorized access to sensitive information in case a user leaves their session unattended or forgets to log out. Configuring session timeouts in ServiceNow involves setting the duration of user sessions based on organizational security policies and user requirements.

Configure a Maximum Active Time for User Sessions

By default, sessions expire only after a period of inactivity. Enforcing a maximum active session time ends sessions regardless of whether a user has been active recently, including whether they recently selected to extend a session. The active session timeout should be greater than the value configured for the inactive session timeout. For example, if sessions are configured to time out after 30 minutes of inactivity, the active session timeout should be greater than 30 minutes.

Step 1: Access System Properties:

Log in as an Administrator, navigate to "sys_properties.list" using the navigation filter, and press "enter."

Step 2: Filter Properties:

Search for the following properties:

  • "glide.ui.active.session.life_span": Sets the maximum session time for authenticated user sessions.
  • "glide.guest.active.session.life_span": Sets the maximum session time for guest user sessions.

Step 3: Set Values: 

Enter the desired duration (in minutes) in the Value field for each property.

The value should be greater than the value of the corresponding properties for an inactive session timeout: glide.ui.session_timeout for authenticated users or glide.guest.session_timeout for guest users. By default, the inactive session timeout for both authenticated and guest users is 30 minutes.

Step 4: Update: 

Save the changes to apply the configured session timeouts.

Modify User Session Timeout After Inactivity

Specify when to time out user sessions after a period of inactivity. By default, after 30 minutes of inactivity in the application, the platform logs the user out automatically unless the "Remember Me" check box in the login screen is selected. Making the interval longer can lead to the unnecessary maintenance of inactive sessions in memory. Adjust this timeout setting to no more than a few hours, although up to 24 hours is workable.

Note:

  • Ajax calls to the server keep the session alive (such as Labels and Refreshing dashboards).
  • Polling keeps the session alive when the chat desktop is open (if the "Chat" plugin is installed).

Aspect Details
Recommended value The user specified timeout in minutes. 30 minutes is the recommended value, but this value may vary depending on functionality and security requirements. Do not set this value to more than one day.
Functional impact (Medium) This remediation enforces the timely expiration of the user account. No functionality impact, however, the User experience is altered.
Security risk (Medium) User sessions being active for an indefinite amount of time is a security risk and should expire on a time-based configuration.

Step 1: Accessing UI Properties:

Logged in as an Administrator, navigate to the "System Properties" section and select "UI Properties".

Step 2: Clear "Remember Me" from the Login Page:

Search on the properties "Remove 'Remember Me” checkbox from the login page. And uncheck the checkbox.

To do this, you need to elevate your role to "security_admin"

Step 3: Access System Properties:

Log in as an Administrator and navigate to "sys_properties.list" using the navigation filter, and press "enter".

Step 4: Filter Properties:

Search for the "glide.ui.session_timeout" property.

If "glide.ui.session_timeout" doesn’t exist, select the "New" button to add a new property using the following values:

  • Name: glide.ui.session_timeout
  • Description: Type a brief description. In this case, enter something like: “Override the default session timeout (30). This value is in minutes.
  • Type: Select the appropriate data type. In this case, select Integer.
  • Value: Change the default value from 30 minutes to a value of your choice.

What Can You Do Next?

Administrators may also want to add the following properties to the System Properties table.

  • glide.security.csrf.handle.ajax.timeout: Handles errors for timed-out Ajax requests when set to true.
  • glide.security.auto.resubmit.ajax: Automatically resubmit timed-out Ajax requests when set to true and the login to an instance check box is selected or change the default value of the Remember me check box. A pop-up appears to users asking them to continue.
  • glide.ui.auto_req.extend.session: When set to true, the system automatically extends a user's session by the value they select for the homepage refresh time. If there’s no homepage refresh time, the standard timeout value applies. Tablet and mobile devices don’t support this property. When set to false, user sessions time out when the "Remember me" checkbox is clear. The timeout is based on whether there’s a homepage refresh time. When there’s no homepage refresh time, the standard timeout value applies. When there’s a homepage refresh time, the user session times out after the timeout value plus one interval of the homepage refresh time. For example, if a user selects a refresh interval of five minutes, then that session expires after the timeout value plus five minutes.

Note: Users who select the ”Remember Me” checkbox are unaffected by session timeout properties.

Administrators can also add the following properties to configure additional timeout settings for user sessions. These additional settings help to conserve system resources:

  • glide.session.unauthorized.timeout.enabled: Enables an alternate session timeout for unauthenticated, guest sessions. Guest sessions are created for HTTP requests to the instance that don’t contain authentication information. By default, this property is set to true.
  • glide.unauthorized.session_timeout: Specifies the time, in minutes, after an authenticated user logs out of an instance before the session ends. Set the property to a value greater than 0 and less than the value in the glide.ui.session_timeout property.

Functional Impacts

  • Longer session timeouts may increase memory utilization during processing sessions.
  • Users are logged out automatically after a period of inactivity unless the “Remember Me” option is selected.
  • Automatic refresh of content on home pages may prevent session timeout.

Conclusion

Configuring session timeout in ServiceNow is a crucial step in enhancing security and efficiency within your organization. By setting appropriate session durations and enforcing maximum active times, you can protect sensitive information from unauthorized access and optimize system performance. This guide has outlined the necessary steps to configure session timeouts, including adjusting properties and implementing best practices. By following these recommendations, you can ensure that your ServiceNow environment remains secure and efficient, providing a better user experience and protecting valuable data.

Explore More
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo