Enforce WARP session timeout
Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your or as part of your .
When a user goes to a protected application or website, Cloudflare checks their WARP session duration against the configured session timeout. If the session has expired, the user will be prompted to re-authenticate with the identity provider (IdP) used to enroll in the WARP client. A user’s WARP session duration resets to zero whenever they log in to the IdP, regardless of what triggered the authentication event.
Ensure that traffic can reach your IdP and
<your-team-name>.cloudflareaccess.com through WARP.
Configure WARP sessions in Gateway
You can enforce WARP session timeouts on any Gateway Network and HTTP policy that has an Allow action. If you do not specify a session timeout, the WARP session will be unlimited by default.
To configure a session timeout for a Gateway policy:
- In , go to either Gateway > Firewall Policies > Network or Gateway > Firewall Policies > HTTP.
- Add a policy and select the Allow action. Alternatively, choose any existing Allow policy.
- Under Step 4 - Configure policy settings, select Edit next to Enforce WARP client session duration.
- Enter a session expiration time in
1h30m0sformat and save.
- Save the policy.
Session checks are now enabled for the application protected by this policy. Users can continue to reach applications outside of the policy definition.
Configure WARP sessions in Access
You can allow users to log in to Access applications using their WARP session. WARP authentication is only supported for Access applications protected by Allow or Block policies.
To configure WARP sessions for Access applications:
- In , go to Settings > WARP Client.
- In Device enrollment permissions, select Manage.
- Go to the Authentication tab and enable WARP authentication identity.
- Under Session duration, choose a session timeout value. This timeout will apply to all Access applications that have WARP authentication enabled.
- (Optional) To enable WARP authentication by default for all existing and new applications, select Apply to all Access applications. You can override this default setting on a per-application basis when you or modify an Access application.
- Select Save.
Users can now authenticate once with WARP and have access to your Access applications for the configured period of time. The session timer resets when the user re-authenticates with the IdP used to enroll in WARP.
- Only one user per device — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. You can revoke a device registration by going to My Team > Devices.
- Active connections are not terminated — Active sessions such as SSH and RDP will remain connected beyond the timeout limit.
- Binding Cookie is not supported - WARP authentication will not work for Access applications that have the enabled.