Set session length for Google services

Supported editions for this feature: Frontline Standard and Frontline Plus; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus; G Suite Business; Cloud Identity Premium. Compare your edition

As an administrator, you can control how long users can access Google services, such as Gmail on the web, without having to sign in again. For example, for users who work remotely or from untrusted locations, you might want to limit the time that they can access sensitive resources by applying a shorter web session length. If users want to continue accessing a resource when a session ends, theyâ€™re prompted to sign in again and start a new session.

About the settings

The session-length control settings documented below affect sessions with all Google web properties that a user accesses while signed in. We're adding support for a more fine-grained support over some types of sessions. For details on the controls for Google Cloud tools and how these controls interact with the parent session control on this page, go to Set session length for Google Cloud services.
How the settings work on mobile devices varies by device and app (go to Considerations below). By default, the web session length for Google services is 14 days.
The session length for admins using the Google Admin console is set to one hour and can't be modified. After an hour, admins must sign in again. This length applies only to the Admin console. Other Google services have the session lengths theyâ€™re set to.

Considerations

When and how users sign in

When a web session expires for a user, the Verify it's you page appears, and they must sign in again.
When you change the session length, users need to sign out and then sign in again for the new settings to take effect. The previous session length remains in effect until the user signs out and back in.
Users might not sign out for some time. If you want them to sign in again sooner, you can reset usersâ€™ sign-in cookies. You must reset each user one at a time. For details, go to Block access to your Google service on a lost device.
If you set the session to never expire, users never have to sign in again.
If you need some users to sign in more frequently than others, place them in different organizational units, then apply different session lengths to them. That way, certain users wonâ€™t be interrupted to sign in when it isnâ€™t necessary.
You can also require users to sign in with 2-Step Verification (2SV). To verify trusted devices, you could have users touch their security key. For details, go to Set up 2-Step Verification.
If a Google Meet meeting starts within 2 hours of a session's scheduled expiration, users are forced to sign in again before the start of the meeting. Once users have a security key, they can switch their re-authentication option from Security Key to Login by switching to the account chooser page.

Mobile devices

You canâ€™t configure session lengths for native mobile apps, such as Gmail or Google Calendar, on Android or Apple iOS devices. Session lengths aren't enforced on OAuth-authenticated apps or ChromeOS.
Note: Login sessions for native mobile apps don't expire unless there's an event that causes a need for reauthentication, such as when a user's password is reset.

For Chrome Browser:

You can apply session-length settings to Chrome Browser on Android or iOS devices only when the user isn't signed in. If the user is signed in, settings won't apply. However, you can apply session-length settings as normal on other mobile browsers, such as Apple Safari and Mozilla Firefox.

Third-party identity providers

If youâ€™re using a third-party identity provider (IdP), such as Okta or Ping, and you set web session lengths for your users, you need to set the IdP session length parameter to expire before the Google session expires. That way, your users will be forced to sign in again. If the third-party IdP session is still valid when the Google session expires, the Google session might be renewed without the user signing in again.
For details on how to set the session length on your specific IdP, refer to your IdP's documentation.

ChromeOS specific settings

To configure session lengths for managed users using primary accounts on ChromeOS devices, set the maximum user session length. For details, go to Maximum user session length.

You can't configure the session lengths for managed users using secondary accounts. To block users from adding managed accounts as secondary accounts, set the Add restrictions on a managed account's usage as a secondary account on ChromeOS policy.

Set session durations

Before you begin: If needed, learn how to apply the setting to a department or group.

Sign in with an administrator account to the Google Admin console.
If you arenâ€™t using an administrator account, you canâ€™t access the Admin console.
Go to Menu Security > Access and data control > Google Session control.
Requires having the Security settings administrator privilege.
(Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
For Session control, under Web session duration, choose the length of time after which the user has to sign in again.
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?