← All controls

12 Web session-length control

A Workspace web session lasts 14 days by default, and the session cookie is a complete credential for whatever remains of that window — no password, no second factor. This setting caps the window per OU and sets what re-authentication costs when it lapses. On macOS, where device-bound session credentials (№10) do not apply, it is the primary mitigation for cookie theft: its whole value is the ceiling it puts on how long a stolen cookie is worth stealing.

Caveats

Setup steps

  1. open ↗ Security › Access and data control › Google session control

    Web session duration = 8 hours for admin/high-risk OUs; 1–7 days for general staff (default is 14 days)

  2. Security › Access and data control › Google session control
    Web session duration
    the chosen ceiling (re-auth method: №38)
  3. Security › Access and data control › Google session control

    Directory > Users > (user) > Security > Sign-in cookies > Reset — or GAM `gam user <x> signout`

    Sign a user out of a managed Google Account ↗

How to verify

  1. Confirm the session-length policy on the OU in the console, then leave a test session idle past the ceiling and confirm it demands re-authentication.

v0.1.3Prevent policy #3 · #29 ↗