Session cookies and expiration

Updated

We manage your session and the sessions of your team members in the Customer.io user interface with a secure HTTP-only cookie. As an administrator, you can limit the duration of sessions as necessary to fit your own security policies.

How it works

We manage your session in Customer.io using a secure HTTP-only cookie. The cookie can only be read by the browser, protecting your session from unauthorized access and malicious cross-site scripting (XSS) attacks.

By default, our session cookies last for 14 days. But, as an administrator, you can set the duration of sessions for everybody on your team to fit your security policy—down to 1 hour.

If a session expires while a person is logged in, they’ll be prompted to re-authenticate, but they won’t lose their work. The login prompt appears wherever the user is in the product; it doesn’t force them back to the login screen!

 The session duration setting applies to all team members

You can’t set different session duration periods for different team members or roles.

Set login session expiration

If you’re an administrator, you can set session duration between 14 days and 1 hour.

Anybody who is logged in when you change the setting will have to re-authenticate. They won’t lose their work; they’ll just need to re-enter their credentials to continue!

  1. Go to Settings > Account Settings and click Security.
    The security settings page with session expiration set to seven days
    The security settings page with session expiration set to seven days
  2. Under Login session expiration, set the session duration period.

Your changes take effect immediately.

Copied to clipboard!
  Contents
Is this page helpful?