Skip to content

Feature: configurable backend session timeout #34150

New issue
New issue
Open
Feature
Open
Feature: configurable backend session timeout#34150
Feature
Labels
OKR : Core FeaturesOwned by WillOKR : Security & PrivacyOwned by MehdiTeam: SecurityIssues related to security and privacydotCMS : ExperimentsAnalytics Umbrella: Experiments FeaturedotCMS : Security
@cursor

Description

@cursor
cursor
bot
opened on Dec 19, 2025

Summary

  • Backend session timeout currently fixed, unlike front-end keep-alive options.
  • Security team requests ability for customers to tune timeout values per environment.
  • Implement configurable backend session timeout exposed via standard configuration property.

Context

Slack request from security channel (Mehdi Karimi) noted that only front-end keep alive exists today (https://dev.dotcms.com/docs/request-response-and-session#SessionKeepAlive). Customers using the OWASP plugin cannot adjust backend session expiry in core and need native support to align with their policies.

Acceptance Criteria

  • Add configuration property (e.g., SESSION_TIMEOUT_MINUTES) with sensible default matching current behavior.
  • Document how admins can set the value (docs + release notes).
  • Ensure timeout propagates through backend session management (login, admin UI, REST).
  • Include automated tests covering default and custom values.

Additional Notes

  • Coordinate with security reviewers to validate defaults.
  • Consider backward compatibility for existing installations.

Metadata

Metadata

Assignees

No one assigned

    Labels

    OKR : Core FeaturesOwned by WillOKR : Security & PrivacyOwned by MehdiTeam: SecurityIssues related to security and privacydotCMS : ExperimentsAnalytics Umbrella: Experiments FeaturedotCMS : Security

    Type

    Feature

    Projects

    dotCMS - Product Planning

    Status

    Future

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions