> ## Documentation Index > Fetch the complete documentation index at: https://docs.planasonix.com/llms.txt > Use this file to discover all available pages before exploring further. # Session policy > Configure session timeout and security policies. **Session policy** controls how long signed-in sessions stay valid, which networks may access the product, and password rules when SSO is not enforced. Changes apply workspace-wide and affect compliance audits. ## Session timeout Admins set **idle timeout** and **absolute maximum session length**: * **Idle timeout** logs users out after no activity; balances security with long-running canvas work—some teams set 30–60 minutes for analysts, shorter for admins. * **Absolute timeout** forces re-authentication even if the user is active, limiting stolen session token utility. SSO sessions may still be controlled by your IdP; Planasonix respects shorter of the two timeouts where both apply. ## IP allowlist Restrict browser and API access to **corporate egress CIDRs** or VPN ranges. Remote contractors need explicit entries or a dedicated ZTNA path. Test allowlists from a non-production workspace first; a misconfigured list can lock out all admins except support break-glass accounts. ## Password policy When local passwords are allowed, configure: * Minimum length and complexity * **Password history** to prevent reuse * **Rotation** interval (where not superseded by SSO) Password policy does not apply to SSO-only users. ## API and automation Session cookies and **API keys** behave differently: keys often ignore browser session timeout but may still be constrained by **IP allowlists**. Document which automation subnets to add before enabling strict network rules. Maintain an audited break-glass admin path documented with security; do not rely on IP allowlists without a recovery story. Some deployments block sign-ins from unexpected countries; pair with IdP conditional access for defense in depth. ## Related topics Federated login and group claims. Second factor requirements.