How to configure Kibana session timeouts

Session timeouts limit how long a signed-in Kibana browser session stays usable, which reduces the chance that an unattended dashboard or admin tab remains open longer than intended.

Kibana stores each login as an encrypted browser cookie plus an encrypted document in its hidden session index. The global xpack.security.session.idleTimeout setting expires inactive sessions, while xpack.security.session.lifespan sets a hard maximum age even when requests continue.

These settings are configured in kibana.yml on self-managed installs and take effect after a Kibana restart. A persistent xpack.security.encryptionKey should already be set before tightening session rules, especially on multi-node deployments, because mismatched or changed keys invalidate existing sessions across restarts or load-balanced nodes.

Steps to configure Kibana session timeouts:

Edit the active Kibana configuration file.
```
$ sudoedit /etc/kibana/kibana.yml
```
Package installs usually keep kibana.yml at /etc/kibana/kibana.yml, while archive installs use the config directory under the Kibana home path.
Set the global session idle timeout and absolute lifespan in kibana.yml.
```
xpack.security.session.idleTimeout: 30m
xpack.security.session.lifespan: 7d
```
Self-managed Kibana uses 3d of inactivity and 30d of total session age by default when these settings are left unset. Expired-session cleanup runs every 1h by default, and xpack.security.session.cleanupInterval cannot be set below 10s when a different cleanup cadence is needed.

Provider-specific overrides can be set under xpack.security.authc.providers, for example xpack.security.authc.providers.saml.corporate_sso.session.idleTimeout.

Setting both values to 0 disables automatic session expiration and can leave the hidden session index growing until users log out.
Keep a fixed xpack.security.encryptionKey in the same configuration if one is not already present.
```
xpack.security.encryptionKey: 3b2bb2da7265332eccc48ddbd6bca6bb9dc61f19d3133deaea2509c27a9f1134
```
Use a long random value and keep it identical on every Kibana instance connected to the same deployment.

Changing the existing key signs out active sessions immediately.

Related: How to set Kibana encryption keys

Confirm the session settings are present in the configuration file Kibana actually reads.

$ sudo rg -n '^xpack.security.(encryptionKey|session.(idleTimeout|lifespan)):' /etc/kibana/kibana.yml
203:xpack.security.encryptionKey: 3b2bb2da7265332eccc48ddbd6bca6bb9dc61f19d3133deaea2509c27a9f1134
204:xpack.security.session.idleTimeout: 30m
205:xpack.security.session.lifespan: 7d

If the service uses a custom KBN_PATH_CONF directory, run the same check against that file instead of assuming /etc/kibana/kibana.yml.

Restart the Kibana service to apply the updated session settings.
```
$ sudo systemctl restart kibana
```
Related: How to manage the Kibana service with systemctl in Linux

Verify the Kibana service returned to the active (running) state.

$ sudo systemctl status kibana --no-pager --full | head -n 12
● kibana.service - Kibana
     Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: enabled)
     Active: active (running) since Thu 2026-04-02 01:14:22 UTC; 17s ago
       Docs: https://www.elastic.co
   Main PID: 8123 (node)
      Tasks: 11 (limit: 28486)
     Memory: 1008.3M (peak: 1.4G)
        CPU: 31.558s
##### snipped #####

Use journalctl –unit=kibana –no-pager -n 50 if the unit never reaches active (running) or loops during startup.

A YAML syntax mistake or unsupported setting keeps the web UI unavailable until the configuration is corrected.

Leave a signed-in Kibana tab idle longer than the configured idleTimeout.

A short temporary value such as 2m speeds up the idle-expiration check before the final production value is restored.
Reload the tab or make another authenticated request after the timeout window passes.
Confirm Kibana redirects to the login page or the configured external identity provider after the session expires.

SAML and OpenID Connect providers can redirect straight back to the identity provider instead of showing the local Kibana login form. Repeat the test with ongoing activity when the hard lifespan limit also needs confirmation.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.