BluAuth
Sign in

My session keeps expiring

BluAuth sessions don't last forever — they expire on purpose, so a stolen laptop or a forgotten browser can't stay signed in indefinitely. But "I was just using it" expiry is frustrating. This page explains how sessions work and what you can do about the common causes.

What a session is

A session is the record BluAuth keeps that says "this browser on this device is currently signed in as you." It's stored as a secure cookie in your browser. Every time you do something in a Blu app, the app checks that cookie with BluAuth to confirm you're still you.

When the session expires, the cookie stops being accepted. The app asks you to sign in again, a new session is created, and you're back in.

You can have separate sessions for the same account on different browsers and different devices — they're independent of each other.

How long sessions last

The exact numbers depend on your tenant's policy, but every session has two limits.

Idle timeout

Sessions refresh as you use them. If you go idle for longer than the idle timeout, the session expires. Typical values:

  • 1 hour for most tenants.
  • 30 minutes for higher-security tenants (healthcare, finance, regulated environments).
  • 15 minutes for the strictest configurations.

Idle means "no activity at all" — not just "I wasn't typing." Background activity from an open Blu app tab counts as activity.

Absolute expiry

Even with continuous use, every session hits a hard cap and ends. Typical values:

  • 24 hours is the default.
  • 7 days with "remember me" enabled.
  • Shorter caps for higher-security tenants.

Once the absolute cap is hit, you have to sign in fresh — no amount of activity keeps it alive beyond that.

2FA re-prompts

Some tenants also re-prompt for your 2FA code every few days, even within an active session. You won't have to type your password again, just the code from your authenticator app. See two-factor authentication.

Remember me

If the sign-in page offers a Remember me checkbox, checking it extends the absolute expiry — usually to 7 or 30 days. It does not disable the idle timeout; a forgotten laptop still gets signed out eventually.

Leave Remember me unchecked on shared or public devices. Anyone who opens the browser within the remembered window will be signed in as you.

What triggers a forced re-auth

Some events end your session immediately, regardless of the timers.

  • Password change. Resetting your password ends every other session you have on other devices. The device you reset on stays signed in.
  • Admin revoke. Your admin can invalidate one session or all of your sessions at once — usually in response to a security concern.
  • Suspicious activity. BluAuth automatically ends sessions if something looks unusual: a sign-in from a new country, a sudden change in the device fingerprint, or a pattern that matches known attacks.
  • Account merge. When two accounts are combined (see account linking), existing sessions on the secondary account end.
  • Role change. If an admin changes what your account is allowed to do, your session is refreshed — sometimes that requires signing in again.
  • 2FA enrollment changes. Turning 2FA on or off invalidates other sessions to force a re-auth with the new factor.

Seeing your active sessions

Your profile page shows every device currently signed in as you. Click your avatar, then Profile → Security → Active sessions. You'll see, for each session:

  • The device type (desktop, phone, tablet).
  • The browser (Chrome, Safari, Firefox, etc.).
  • The city and country of the last activity.
  • When the session started.
  • When it was last active.

The session you're currently using is marked This device. The others are places you're still signed in.

Killing other sessions

If you see a session you don't recognize — or you just want to sign out of a device you no longer have — click Sign out next to that session. It ends immediately, and the next action on that device will prompt for a new sign-in.

To sign out of everything except the device you're on, click Sign out of all other sessions. This is a good first step if you think your account might be compromised. Then change your password.

Why it might be happening unexpectedly

If you feel like you're getting signed out more often than the timers suggest, one of these is usually the cause.

Browser clearing cookies

Some browser settings remove your session every time you close the tab:

  • Private / incognito mode (always clears on close).
  • "Clear cookies on exit" settings.
  • Aggressive third-party cookie blocking.
  • Some privacy extensions (Privacy Badger, some uBlock rules).

Check your browser's privacy settings and make sure cookies for auth.blutools.io (or your tenant's BluAuth domain) are allowed to persist.

Multiple devices exceeding the limit

Some tenants limit the number of concurrent sessions per user. When you sign in on a new device past the limit, the oldest session is ended automatically — which looks like "I got signed out on my old computer for no reason." Check your active sessions list; if a new device just appeared, that's why.

Clock skew

BluAuth validates sessions against the current time. If your device's clock is wrong by more than a few minutes, sessions can appear to have already expired the moment they're created. Set your clock to automatic network time.

Getting kicked mid-action

If a session ends right as you're doing something, it's usually one of:

  • An admin revoke just happened (ask your admin).
  • Your password was reset from another device.
  • You hit the absolute expiry — the timer doesn't pause for your in-flight action.
  • Suspicious-activity detection triggered on an unrelated signal.

Signing back in will work. If it keeps happening in the middle of short tasks, that's not normal — reach out to your admin.

What to do

  • Sign in again. If your session expired normally, that's the fix.
  • Check your browser settings. Cookies enabled, not cleared on close, no aggressive extensions for the BluAuth domain.
  • Review active sessions. If you don't recognize one, sign out of it and change your password.
  • Ask your admin if you're being signed out every few minutes — the policy may be tighter than you expect, or something specific to your account is going on.

Common questions

Why am I signed out every time I close my browser?

Most likely one of:

  • Private / incognito mode. Sessions never survive a private window closing.
  • "Clear cookies on exit" is enabled in your browser settings. Turn it off for the BluAuth domain, or disable it globally if you're comfortable with that.
  • A cookie-clearing extension. Extensions like Cookie AutoDelete wipe cookies aggressively. Add the BluAuth domain to the extension's allow list.

Why does a single sign-in sometimes work across multiple Blu apps?

BluAuth is one identity for every Blu app that uses it. When you sign in once, other Blu apps can reuse that session without asking for your credentials again — that's a feature called single sign-on. If you sign out of one Blu app, the others may or may not sign you out depending on how each one handles it; sign out of BluAuth itself (via the profile page) if you want to end everything in one step.

Is there a way to extend my session?

Not on the user side. The timeouts are set by your tenant's security policy and can't be overridden per user. If the policy is tighter than you need, the right move is to ask your admin — some tenants have room to loosen it, others don't.

I get signed out the moment I try to do something sensitive

Some actions (changing your password, enabling or disabling 2FA, managing API keys) require a fresh sign-in even within an active session. That's called step-up auth. It's not a session expiry; BluAuth is specifically asking you to prove it's still you before letting the action go through. Sign in again and retry the action.

I see "session expired" on a page I just opened

If a page has been sitting in your browser overnight and you come back to it, your session may have expired while the page was open. Refresh the page — it'll redirect you to sign in, and after you do, you'll come back to where you were.

Related