This article explains how to manage session timeout for your organization. With this setting, Personio automatically logs employees out after a set period of inactivity.
Adjusting this setting helps you balance usability and security in a way that suits your organization’s needs. For example, if your employees use Personio regularly, you might lengthen the session timeout to minimize disruption. If you have deskless employees or those using shared workstations, you might shorten it to meet stricter security requirements.
Before you start
- To manage session timeout for your organization, you need the following permissions:
- An Administrator role in Personio, or
- An employee role with edit permissions for Account configuration > Authentication.
- The session timeout settings apply to all employees in your organization. You can't set different values for individual employees.
- This setting only applies to the Personio web app. The timeout for mobile app sessions is set to one month (30 days).
- Personio logs session timeout changes in the Audit Log.
Understand session timeout
Session timeout is the length of time an employee can stay logged in to Personio without any activity. Once this period ends, Personio logs them out automatically. It displays a message that explains why the session ended and prompts them to log in again.
The default timeout is three days. However, you can set it to any of the following values:
| Session timeout value | Use case example |
| Ten hours | Employees who log in daily. |
| Three days | Employees who log in a few times per week. |
| One week | Extended access for trusted environments. |
| One month | The maximum amount of time allowed between logins. |
Session timeout vs. maximum session length
The session timeout setting controls inactivity only. It's different from the maximum session length, which defines the total amount of time an employee can stay logged in, even while actively using Personio. The maximum session length is fixed at 30 days for everyone, and you can't change it.
Understand timeout and logout triggers
The following events don't trigger a timeout as long as the employee stays active:
- Opening a new tab or window in the same browser.
- Impersonating an employee (using the Login as employee feature).
The following events may require the employee to log in again, even within the timeout period:
- Opening a new browser (for example, switching from Chrome to Safari).
- Opening a new incognito window.
- Using a different device.
- Cookies being cleared, either manually or by an IT policy.
If you change an employee’s status to Inactive, Personio logs them out with immediate effect. This happens regardless of the session timeout length.
Adjust the session timeout
The default session timeout is three days. To adjust this setting for your organization, follow these steps:
- Go to Settings.
- In the Security & integrations section, click Security & authentication.
- Scroll down to Security.
- Adjust the length of the timeout by selecting a value from the dropdown.
The new setting applies to all employees the next time they log in.