> First objective is to force user to log out if user is in idle or no activity within 4 hours. So, in the web application if it will reach 4 hours with no activity, it will then redirect to Gluu's login page. This would have to be handled application side where an inactive session time is tracked and compared with the last activity time. From here the application can delete the users session, which would force them to re-auth and additionally end the users session at the OP using a [front channel logout](https://openid.net/specs/openid-connect-session-1_0.html#RPLogout), if you want them to be logged out globally. > Second objective is to force user to log out if the browser is close. So the next time the user access the web application it will redirect to Gluu's login page. This can be achieved by disabling `sessionIdEnabled` in `Configuration` -> `JSON Configuration` -> `oxAuth Configuration`. Whenever the browser is closed, the session cookie should be deleted and they'll be prompted again to login through oxAuth.

Hi Chris, Thanks for the reply. Regarding the First objective, I see, so this is handled in the application side. I will try this out. Regarding the Second objective, since there is an attribute to be configured. Does this have any after effects if sessionIdEnabled is disabled? Can you provide any info about sessionIdEnabled, its pros and cons? Thanks and Have a Good day.

Hi Chris, I've tried what you suggested about disabling the sessionIdEnabled but it does not work according to the second objective. I've tried it in IE11 and it needs to login twice. First with the OxAuth page then followed by a security prompt which ask again the credentials. After, its the same behavior if sessionIdEnabled is true. Could you provide steps or any inputs with this. Thanks and Have a Good day.

> After, its the same behavior if sessionIdEnabled is true. You mean that the session will maintain in your client even if you close your browser entirely?

Hi Chris, Yes, I think so because after i login in then closed the browser and access again the application it does not redirect to login screen instead it redirect to home screen as if it is login already. BTW, im using the implicit flow with OIDC JS Client. Thanks and Good day

Hey Jean, Re-enable `sessionIdEnabled` and set `sessionIdLifetime` to 0. This should change the IDP `session_id` and `session_state` cookie to expire on Session.

> the application it does not redirect to login screen instead it redirect to home screen as if it is login already. This happens after clicking "Login" correct?

Hi Chris, I'll try this out. > Re-enable sessionIdEnabled and set sessionIdLifetime to 0. This should change the IDP session_id and session_state cookie to expire on Session. Also, regarding this > the application it does not redirect to login screen instead it redirect to home screen as if it is login already. > This happens after clicking "Login" correct? You mean Login button in Gluu's Login page? If so, then No since it will not redirect to login screen.

Jean, > Re-enable sessionIdEnabled and set sessionIdLifetime to 0. This should change the IDP session_id and session_state cookie to expire on Session. I've come to the realization that this is only a feature in 3.1.4. My mistake. You can however upgrade your instance easily by using our upgrade scripts located here: [https://repo.gluu.org/upd/](https://repo.gluu.org/upd/), specifically the `3-1-4-upg.sh`. Follow [these instructions from the docs](https://gluu.org/docs/ce/upgrade/#overview) and you'll be up to date.

Hi Chris, Sorry for the late reply. >I've come to the realization that this is only a feature in 3.1.4. My mistake. You can however upgrade your instance easily by using our upgrade scripts located here: https://repo.gluu.org/upd/, specifically the 3-1-4-upg.sh. Follow these instructions from the docs and you'll be up to date. Ah I see, so this is only possible to 3.1.4. I'll try this out soon. Thanks and Good day.