Has anyone made any sense on session duration limits for Cloudflare Access?
The explanation in the zero trust docs is,
“If the global session duration is shorter than an application’s session length, users will be required to re-authenticate each time the global session time elapses. If the global session duration is longer than an application’s session length, a user’s application session will be automatically refreshed until the global session expires.”
This to me says that application session duration will always be ignored and global will always be followed.
I’m finding however that we are never prompted for re-auth for applications behind access… No matter which global or application session length, our users authenticate once and the session lasts indefinitely.
Does anybody have experience or advice on this?