Our web application protects sensitive and confidential data. We use various security mechanisms to ensure that this information is secured as effectively as possible. One of these is the session timeout, which automatically logs you out after a period of inactivity. Here we explain why this is necessary.
What does this mean?
If you do not show any activity in the application for 30 minutes (e.g. no entries, clicks or mouse movements), you will be automatically logged out. To continue working, you must log in again.
Why is this done?
This measure protects your data, especially in the following situations:
- You are working on a public or shared device.
- You leave your workstation unattended for a short period of time.
- You forget to log out manually.
- An active user account with no activity poses a risk – someone could gain unauthorised access to the application while you are away.
What do data protection regulations and security standards say about this?
Automatic logout is recommended by law and for security reasons:
- The General Data Protection Regulation (GDPR) and the Data Protection Act (DSG) require that personal data be processed confidentially and securely. The session timeout is a concrete measure to implement this.
- The independent IT security organisation OWASP (Open Worldwide Application Security Project) recommends automatic session termination after inactivity in its Session Management Best Practices. For sensitive applications, a time period of 15 to 30 minutes is considered reasonable.
Conclusion
Automatic logout after 30 minutes of inactivity (effective from April 2025) is a security measure to protect your data. It complies with legal requirements, international security standards and proven recommendations.
Comments
Please sign in to leave a comment.