Our users (intranet, enterprise app) are requesting a longer session time. They think that the 20 minutes allocated is not enough. Fine. To access the app they must first pass the login screen. This is where the session is initiated (correct?). Is it advisable to initially set the session.timeout to 5 minutes and once the user has been validated reset the session.timeout to 30 minutes? If the user can&#039t log in/on I dont want their session to hang around for the 30 mins, ya know?