You need to sign in or sign up before continuing.
Newer
Older
redirect_from:
- /docs/latest/operations-guide/changing-session-expiration
![metabase-bot[bot]'s avatar](https://secure.gravatar.com/avatar/5a54b0ee1ad6bf1b2f5cc0cf8d899cd3472359c55cfa3b55c0f005eea7c06b71?s=72&d=identicon "metabase-bot[bot]")
metabase-bot[bot]
committed
By default, Metabase sessions are valid for two weeks after a user last authenticated (e.g. by entering their email address/password or via an SSO provider). For example, even if you visit your Metabase instance every day, you'll still have to log in again every two weeks.
metabase-bot[bot]
committed
## Session age
The session age is the maximum time that a person stays logged into Metabase (even if the person closes the browser).
You can set the environment variable [`MAX_SESSION_AGE`](../configuring-metabase/environment-variables.md#max_session_age):
```
# Change session expiration to 24 hours
MAX_SESSION_AGE=1440 java -jar metabase.jar
```
metabase-bot[bot]
committed
or set the Java system property:
```
java -DMAX_SESSION_AGE=1440 -jar metabase.jar
```
`MAX_SESSION_AGE` is in minutes.
metabase-bot[bot]
committed
## Session timeout
{% include plans-blockquote.html feature="Session timeout" %}
The session timeout is the maximum time that a person can be inactive (for example, if someone leaves Metabase open in a long-forgotten browser tab).
You can toggle this setting from **Admin** > **Authentication**, or set the environment variable [`MB_SESSION_TIMEOUT`](../configuring-metabase/environment-variables.md#mb_session_timeout).
Session timeout is null by default. You can use a session timeout to log people out earlier than the max [session age](#session-age).
metabase-bot[bot]
committed
## Session cookies
metabase-bot[bot]
committed
Metabase also supports using [session cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Session_cookies), which mean users will only stay authenticated until they close their browser. This can be enabled on a per-user basis by unchecking the "Remember me" box when logging in. Once the user closes their browser, the next time they visit Metabase they'll have to log in again. Session expiration still applies, so even if you leave your browser open forever, you'll still be required to re-authenticate after two weeks or whatever session expiration you've configured.
metabase-bot[bot]
committed
You can tell Metabase to always use session cookies with the environment variable or Java system property `MB_SESSION_COOKIES`:
```
MB_SESSION_COOKIES=true java -jar metabase.jar
```
metabase-bot[bot]
committed
Setting this environment variable will override the behavior of the "Remember me" checkbox and enforce the use of session cookies for all users.
metabase-bot[bot]
committed
Note that browsers may use "session restoring", which means they automatically restore their previous session when reopened. In this case, the browser effectively acts as if it was never closed; session cookies will act the same as permanent cookies. For browsers that support this feature, this behavior is usually configurable.