G Suite Session Lifetime

Up until now, G Suite has relied on session cookies to control the length of a user session when logged into G Suite through an Identity Provider such as RM Unify. These cookies were intended to expire whenever the browser was closed, meaning the user would be redirected to sign-in again to RM Unify whenever they reopened the browser and visited a Google site.

Google now believes that the behaviour of different browsers has become inconsistent and so have taken the decision to remove session-based cookies and rely instead on explicit session length controls. Unlike session cookies, these controls will be respected regardless of the user’s browser.

Session-based cookies for G Suite customers federated to RM Unify were removed on May 7th, 2018.

From May 7th, 2018, if you logout of RM Unify then RM Unify will also log you out of G Suite. If you only close your browser, however, although you will be automatically logged out of RM Unify, your G Suite session may persist and may still be active when you re-open the browser depending on the session length that has been set.

We believe that the default session length of 14 days that is set by G Suite is longer than we would advise, particularly in a school environment with shared devices. We would suggest setting a session length closer to the length of a school day, perhaps 8 hours but you may choose to set different session lengths, for example, for your students and teachers. Session length can be set either for a whole tenancy or by organisational unit within your school's G Suite tenancy using the instructions provided by Google for setting a custom session length.

For more information see: https://gsuiteupdates.googleblog.com/2018/04/session-length-controls-saml-domains.html

A more secure sign-in flow on Chrome

Also from May 7th, 2018, if a user signs into the chrome browser after signing into RM Unify, they will be brought to a new screen on accounts.google.com to confirm their identity. This step has been introduced by Google to provide an additional layer of security and help prevent users from unknowingly signing in to an account created and controlled by an attacker.

To minimize disruption for the user, Google has indicated that this feature should only be shown once per account per device. They are also working on ways to make the feature even more context-aware in the future, meaning that users should see the screen less and less over time.

For more information, see information here: https://gsuiteupdates.googleblog.com/2018/04/more-secure-sign-in-chrome.html

back to top button
back to top button