User session timeout

I am trying to understand more regarding session timeout in case of inactivity. If I am correct, if I am logging in via LDAP and the token assigned to the identity is renewable (tokenTTL=1h), when the token is about to expire, it will generate a new one with validity of 1 hour. But what happens in case of inactivity?
I am testing this behaviour on HashiCorp Vault OSS version 1.15.6 and after about 3 minutes of inactivity, the following table displays:

But I am still logged in for the whole token duration validity. This is where I am struggling to understand. I also couldn’t find any additional information in the official documentation.

It’s been a while since I dug into this, but from what I recall, every time you click on something that results in an API call back to Vault, it will also send an auth/token/renew-self call, which renews the token for the “default_ttl” duration of the role you logged in with.

In terms of inactivity, if you don’t click anything in the GUI that generates an API call back to Vault (e.g., filtering policies or clicking through the Tools section) then the token will not be renewed and the existing expiration time will remain in effect.

Keep in mind that if you have any dynamic credentials checked out (i.e., leased) they will be revoked when your session has expired, so plan your TTLs accordingly.

1 Like