Session management
A user session determines how long a user can access an Access application without re-authenticating.
When a user logs in to an application protected by Access, Access validates their identity against your Access policies and generates two signed JSON Web Tokens (JWTs):
Token | Description | Expiration | Storage |
---|---|---|---|
Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | Global session duration | Your Cloudflare team domain |
Application token | Allows the user to access a specific Access application. | Policy session duration (if set), otherwise the application session duration | The hostname protected by the Access application |
The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP.
The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application.
You can set a global session duration between 15 minutes and 1 month.
- In Zero Trust ↗, go to Settings > Authentication.
- Under Global session timeout, select Edit,
- Select the desired timeout duration from the dropdown menu.
The user will be required to re-authenticate with the IdP after this period of time.
You can set an application session duration for self-hosted and private Access applications. Available session durations range from immediate timeout to 1 month. The default is 24 hours.
- In Zero Trust ↗, go to Access > Applications.
- Locate the application you want to configure and select Edit.
- In the Overview tab, select a Session Duration from the dropdown menu.
The application token will expire after this period of time (unless you have set a policy session duration).
Access session durations only control the front door to a SaaS app; Access does not control how long the user can stay in the SaaS app itself. For example, if the user logs out of the SaaS app and then comes back to it, a valid Access application token allows them to re-authenticate without another login. The SaaS app issues its own authorization cookie that manages the user's session within the app.
You can set a policy session duration ranging from immediate timeout to one month. The policy session duration takes precedence over the application session duration.
- In Zero Trust ↗, go to Access > Applications.
- Locate the application you want to configure and select Edit.
- Go to the Policies tab and select Configure for any policy.
- Select a Session Duration from the dropdown menu.
Users who match this policy will be issued an application token with this expiration time.
Access provides two options for revoking user sessions: per-application and per-user.
To immediately terminate all active sessions for a specific application:
-
In Zero Trust ↗, go to Access > Applications.
-
Locate the application for which you would like to revoke active sessions and select Edit.
-
In the Overview tab, select Revoke existing tokens.
Unless there are changes to rules in the policy, users can start a new session if their profile in your identity provider is still active.
Access can immediately revoke a single user session across all applications in your account. However, if the user's identity profile is still active, they can generate a new session.
If you want to permanently revoke a user's access:
-
Disable their account in your identity provider so that they cannot authenticate.
-
In Zero Trust ↗, go to My Team > Users.
-
Select the checkbox next to the user you want to revoke.
-
Select Action > Revoke access.
The user will no longer be able to log in to any application protected by Access. The user will still count towards your seat subscription until you remove the user from your account.
When administrators revoke a user's Cloudflare Access token, that user will not be able to log in again for up to 1 minute. If they attempt to do so, Cloudflare Access will display an error.
To log out of Access, the end user can visit either of the following URLs:
<your-application-domain>/cdn-cgi/access/logout
<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout
This action revokes the user's session across all applications. Access will immediately clear the authorization cookie from the user's browser, and all previously issued tokens will stop being accepted in 20-30 seconds. The only difference between these two URLs is which domain the authorization cookie is deleted from. For example, going to <your-application-domain>/cdn-cgi/access/logout
will remove the application cookie and make the logout action feel more instantaneous.
You can use these URLs to create custom logout buttons or links directly within your application.
Pages that rely heavily on AJAX or single-page applications can block sub-requests due to an expired Access token without prompting the user to re-authenticate.
You can configure Access to provide a 401
response on sub-requests with an expired session token. We recommend using this response code to either force a page refresh or to display a message to the user that their session has expired.
In order to receive a 401
for an expired session, add the following header to all AJAX requests:
X-Requested-With: XMLHttpRequest