Switchflag
Authentication

Sessions

Session management with 7-day expiry and automatic refresh.

Session lifetime

SettingValue
Session expiry7 days of inactivity
Refresh window1 day
Cookie cache5 minutes

How it works

  • Sessions expire after 7 days of inactivity
  • If you use the app within 1 day of the session expiring, the session is automatically refreshed for another 7 days
  • Session data is cached in the cookie for up to 5 minutes to reduce database lookups
  • If you don't use the app for 7 days, you'll need to sign in again

Sessions are stored as HTTP-only cookies:

  • HTTP-only — not accessible via JavaScript (prevents XSS attacks)
  • Secure — only sent over HTTPS in production
  • CSRF protection — built-in cross-site request forgery protection

Signing out

Signing out destroys the session immediately. The cookie is cleared and the session record is removed from the database.

Password Reset

Reset your Switchflag password using a secure email link.

Roles & Permissions

Organization roles — owner, admin, and member — and what each can do.

On this page

Session lifetimeHow it worksCookie settingsSigning out