This feature is available with Cloud Identity Premium edition. Compare editions
As an administrator, you can control how long users can access Google services, such as Gmail on the web, without having to sign in again. For example, for users that work remotely or from untrusted locations, you might want to limit the time that they can access sensitive resources by applying a shorter web session length. If users want to continue accessing a resource when a session ends, they’re prompted to sign in again and start a new session.
About the settings
- The session-length control settings documented below affect sessions with all Google web properties that a user accesses while signed in. We're adding support for a more fine-grained support over some types of sessions. For details on the controls for Google Cloud tools, and how these controls interact with the parent session control on this page, see Set session length for Google Cloud services.
- How the settings work on mobile devices varies by device and app (see Considerations below). By default, the web session length for Google services is 14 days.
- The session length for admins using the Google Admin console is set to one hour and cannot be modified. After an hour, admins need to sign in again. This length applies only to the Admin console. Other Google services have the session lengths they’re set to.
Considerations
When and how users sign in
- When a web session expires for a user, they see the Verify it's you page and must sign in again.
- When you change the session length, users need to sign out and then sign in again for the new settings to take effect. The previous session length remains in effect until the user signs out and back in.
- Users might not sign out for some time. If you want them to sign in again sooner, you can reset users’ sign-in cookies. You have to reset each user one at a time. For details, see Block access to your Google service on a lost device.
- If you set the session to never expire, users never have to sign in again.
- If you need some users to sign in more frequently than others, place them in different organizational units. Then, apply different session lengths to them. That way, certain users won’t be interrupted to sign in when it isn’t necessary.
- You can also require users to sign in with 2-Step Verification (2SV). To verify trusted devices, you could have users touch their security key. For details, see Set up 2-Step Verification.
- If a Google Meet meeting starts within 2 hours of a session's scheduled expiration, the user is forced to sign in again before the start of the meeting. This helps avoid an interruption to the meeting while in-progress.
Mobile devices
- You can’t configure session lengths for native mobile apps, such as Gmail or Google Calendar, on Android or Apple iOS devices. Session lengths are not enforced on OAuth-authenticated apps or ChromeOS.
Note: Login sessions for native mobile apps do not expire unless there's an event that causes a need for reauthentication, such as when a user's password is reset.
For Chrome Browser:
- You can apply session-length settings only to Chrome Browser on Android or iOS devices when the user is not signed in. If the user is signed in, settings won't apply. However, you can apply session-length settings as normal on other mobile browsers, such as Apple Safari and Mozilla Firefox.
Third-party identity providers
- If you’re using a third-party identity provider (IdP), such as Okta or Ping, and you set web session lengths for your users, you need to set the IdP session length parameter to expire before the Google session expires. That way, your users will be forced to sign in again. If the third-party IdP session is still valid when the Google session expires, the Google session might be renewed without the user signing in again.
- For details on how to set the session length on your specific IdP, refer to your IdP's documentation.
ChromeOS specific settings
To configure session lengths for managed users using primary accounts on ChromeOS devices, set the maximum user session length. For details, see Maximum user session length.
You cannot configure the session lengths for managed users using secondary accounts. To block users from adding managed accounts as secondary accounts, set the Add restrictions on a managed account's usage as a secondary account on ChromeOS policy.
Set session durations
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlGoogle Session control.
- On the left, select the organizational unit where you want to set session length.
For all users, select the top-level organizational unit. Otherwise, select another organization to make settings for its users. Initially, an organization inherits the settings of its parent organization. - For Session control, under Web session duration, choose the length of time after which the user has to sign in again.
- Click Override to keep the setting the same, even if the parent setting changes.
- If the organizational unit's status is already Overridden, choose an option:
- Inherit—Reverts to the same setting as its parent
- Save—Saves your new setting (even if the parent setting changes)
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.