# 12 Web session-length control

> v0.1.3 · role: Prevent · [policy: #3 · #29](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A Workspace web session lasts 14 days by default, and the session cookie is a complete credential for whatever remains of that window — no password, no second factor. This setting caps the window per OU and sets what re-authentication costs when it lapses. On macOS, where device-bound session credentials ([№10](chrome-profile-baseline.md)) do not apply, it is the primary mitigation for cookie theft: its whole value is the ceiling it puts on how long a stolen cookie is worth stealing.

Documentation: [Set session length for Google services](https://knowledge.workspace.google.com/admin/security/set-session-length-for-google-services)

## Caveats

- Sessions do not shorten retroactively — the old duration holds until the user signs out, so reset each affected user's sign-in cookies (per user in the console; script with GAM for a whole OU) or you have changed the setting and not the exposure.
- The Admin console's own session is fixed at 1 hour and cannot be changed — this setting governs Gmail, Drive and the rest of the web apps.
- Native mobile apps ignore this entirely — a short web session and an effectively permanent Gmail-on-iOS session coexist happily.
- If SSO (№15) is in play, the IdP's session must expire first — otherwise Workspace re-auth is a silent redirect the user never notices, which means neither does the attacker.

## Setup steps

1. Select the target OU (organizational unit) — admins and high-risk users get the short window; general staff can get a longer one — and open Web session duration. — `Security › Access and data control › Google session control`

   Web session duration = 8 hours for admin/high-risk OUs; 1–7 days for general staff (default is 14 days)

2. This screen sets the session duration. To also choose what re-authentication demands (password vs security key), use Google Cloud session control, which [№38](cloud-session-control.md) configures — pair the two wherever admins hold GCP roles. — `Security › Access and data control › Google session control`

   - **Web session duration** = the chosen ceiling (re-auth method: №38)

3. Save, then verify: sessions do not shorten retroactively. Reset sign-in cookies for each affected user so the new duration binds — the console does this one user at a time, so script it with GAM for a whole OU. — `Security › Access and data control › Google session control`

   Directory > Users > (user) > Security > Sign-in cookies > Reset — or GAM `gam user <x> signout`

   docs: [Sign a user out of a managed Google Account](https://knowledge.workspace.google.com/admin/devices/sign-a-user-out-of-a-managed-google-account)

## How to verify

1. Confirm the session-length policy on the OU in the console, then leave a test session idle past the ceiling and confirm it demands re-authentication.

## Settings screens

- Security > Access and data control > Google session control
  - console: https://admin.google.com/ac/managedsettings/352555445522/sessionmanagementsettings
  - screenshot: ../screenshots/admin.google.com/ac/managedsettings/352555445522/sessionmanagementsettings.png
