Can the session timeout be changed?
Unfortunately the answer is no and here is why.
The reason the session timeouts are limited to 20 minutes is twofold:
- Sessions require server memory to remain active. We try to keep a lid on the amount of memory sessions consume, for obvious reasons. Ideally, a spike in traffic (and sessions) should not cause the server to run out of memory suddenly, so we try to keep a fair amount ready - which means the average number of sessions needs to be managed closely.
- Maintenance on the servers means that they'll have to be restarted or shutdown. Any active sessions at that time would be disrupted. To avoid that, we normally use a polite shoutdown policy, where the server no longer accepts new sessions and only serves old ones. At some point, they will all expire naturally, and site visitors notice nothing is wrong. This process requires a lot of time, as it is. Increasing the session time out may cause this to take days.
The session can time out faster than 20 minutes depending on current server load. For example, when clients first submit an email directing constituents to an alert, this increases the server load, which decreases the session time limit.