Session timeout occurs when a user does not perform any action in RB9 for the length of the set interval. You can set the interval at any 5-minute increment from 5 minutes to 60 minutes.
Continued from Customizing global preferences.
Default is 20 minutes. Select a different interval in the drop-down and click Save. The next time you or someone else logs into the system, the new timeout interval will apply to them.
OWASP (Open Web Application Security Project) recommends 2-5 minutes for idle time outs and 15-30 minutes for low-risk applications. NIST (US National Institute of Standards and Technology) recommends reauthentication session termination after 30 minutes of inactivity.