—

Why it Matters

Long admin sessions increase the chance of abuse. If an admin leaves a computer unlocked or if an attacker steals a session cookie, they can act as that admin for as long as the session stays alive. With very long timeouts, this risk becomes much higher.

Limiting the session timeout to 900 seconds (15 minutes) makes attacks harder. Even if a session token is stolen, it will quickly expire and reduce the window of opportunity. This protects sensitive actions such as managing orders, customer data, or payment settings.

Verification Steps

Manual

# In Admin UI:
Stores → Configuration → Advanced → Admin → Security → Admin Session Lifetime (seconds)

# Value should be 900 or less

Remediation / Fix Guidance

Set Admin Session Lifetime to 900 seconds (15 minutes) or less.
Communicate the policy to all admin users so they know why re-login happens.
Monitor for sessions that last too long or unusual login behavior.

Examples

Fail Example

# Admin Session Lifetime set to 7200 (2 hours)
Too long, unsafe

Pass Example

# Admin Session Lifetime set to 900
Expires after 15 minutes of inactivity

References

OWASP Top 10 — A07: Identification and Authentication Failures