LoginWith LoginWith Blog

Stop logging users out every 15 minutes

Short sessions feel secure. They're mostly just annoying, and they push users toward worse habits.

· LoginWith team

Hard 15-minute session timeouts trace back to 1990s banking UX. They don’t belong in modern SaaS. Here’s why — and what to use instead.

The history

Short session timeouts were designed for shared terminals — the PC at the bank teller’s desk, the computer at the public library. If the user walked away without logging out, the next person wouldn’t inherit their session. Fair enough in 1998.

In 2026, your users are on their personal devices, usually their phones, and the session context is completely different. A short timeout doesn’t protect them from a shared-terminal threat that doesn’t exist. It just annoys them.

What hard timeouts actually cost

  • Retention: users don’t re-sign-in. They switch tabs, forget, or close the app.
  • Security posture ends up worse: users pick weaker passwords because they have to type them ten times a day.
  • Support tickets: “why do I keep getting logged out?” is one of the top categories in every B2C helpdesk.
  • Feature adoption: users don’t explore a product they can’t stay logged into.

What to use instead

Sliding sessions

Refresh the session on every authenticated request. The session expires after N minutes of inactivity, not N minutes total. For most SaaS, 24 hours of inactivity is a fine default; 7 days for low-risk apps.

Step-up authentication

When the user wants to do something sensitive — change email, change password, view billing, access a specific workspace — require them to re-auth at that moment, not because their session expired. This gives you security on sensitive actions without friction on the normal path.

Device binding

Tie the session to the device (user agent + some fingerprint + IP region). If any of those change significantly, require re-auth. Legitimate users rarely hop devices mid-session; attackers with a stolen cookie almost always do.

Explicit “remember me”

On the login page, default “remember me” to checked. Don’t make users opt in every time. If they’re on a shared computer and want a short session, they’ll uncheck. If they’re on their phone, they want the long session and you shouldn’t make them ask for it.

The banking exception

If you are building banking software, or healthcare, or anything under strict compliance, short timeouts may be mandated. Fine. But for your regular SaaS, they’re a 1990s artifact that’s quietly eating your retention.

Want auth that just works?

Get started with LoginWith