Azure B2C Session timeout is not working as expected on password reset page

Ravi Kant Dubey Dubey 0 Reputation points
2024-05-05T07:50:44.8266667+00:00

I applied below session settings in password reset journey as well as default user journey. But the session is not getting expired if browser is let idle for more then 15 min (Even tried after 2 hours). Session is only getting timeout after refreshing the page. I need to secure application for below scenario

Scenario: User using public computer, trying to reset password, reached till new password screen, for some reason user left system unattended(left public computer). Now after 12 hours some unknown person accessing the system, and entering password in legitimate user left screen.

User's image

    <UserJourneyBehaviors>
      <SingleSignOn Scope="Application" />
      <SessionExpiryType>Rolling</SessionExpiryType>
      <SessionExpiryInSeconds>900</SessionExpiryInSeconds>
      <ScriptExecution>Allow</ScriptExecution>
    </UserJourneyBehaviors>
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,800 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Babafemi Bulugbe 1,955 Reputation points MVP
    2024-05-05T19:30:02.3633333+00:00

    Hello Ravi Kant Dubey Dubey,

    Thank you for posting this in the Microsoft Q&A Community.

    I understand that you would like to have the browser cookies session expire after 15 minutes of inactivity.

    Please note that cookies session timeout is controlled by features in Azure B2C; KeepAliveInDays and SessionExpiryInSeconds. Once the KeepAliveInDays isn't enabled, then the SessionExpiryInSeconds handles the session timeout which is the case here.

    However, I noticed that you set the SessionExpiryType to Rolling which indicates that the session is extended every time the user performs a cookie-based authentication. This is the default behavior.

    To resolve this, kindly change the SessionExpiryType to Absolute which indicates that the user is forced to reauthenticate after the period specified. Also, make sure you aren’t passing the parameter prompt=login to AAD B2C.

    User's image

    Follow this link (https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior) to learn more about information about Azure AD B2C Session behavior.

    Let me know if further assistance is required.

    Babafemi