The company I work for would like to implement CrowdID for our internal applications, but would like to see an improvement in the Crowd session handling to implement a maximum session duration, which would require users to re-enter their credentials after a set period of time regardless of whether their session remains active.
For example, with a session timeout of 1 hour, as long as you are active every 30 minutes, you can theoretically keep your single session open indefinitely. If there was a maximum session duration, you could require that every 24 hours a user's session is killed, and thus they need to re-authentication, thus plugging a potential security hole of abusing idle session timeout durations.

If we could rely on CrowdID requiring a fresh login every set period of time, we would be able to pass our internal security reviews more easily and move forward with implementation.

Originally discussed in CWDSUP-7882