Idea Delivered

Hi Venkat,

I am happy to say that as part of Access Management feature that is released in context of Sites 9.5 you are able to configure session time out

https://docs.sdl.com/816112/785814/sdl-tridion-sites-9-5/access-management-configuration-properties

See AccessTokenLifetime setting

As well we provide out of the box sign out feature for new Experience Space 

Provide a configuration parameter to set SDL CME session time out

 User session is not expiring in SDL8.5 CME and there is no mechanism to logout users after stipulated time. Of course, there is a variable called 'accessTokenExpiration' that define how long a token is to be expired, but the current CME implementation will automatically refresh the token if expired.  So at the moment, there is not any setting that you can use to expire a session after some idle time.

Consequently, this is captured as a risk in our internal audit. It is recommended to have controllable session like other web applications to comply with regulatory requirements. Based on our findings, it is same with SDL 9.1 as well. Since we are encouraged not to do customizations, SDL may add configuration settings in the product itself for session time outs in next/future release.