Hi James,
In IBM Cognos Configuration, you need to change from Explorer pane, in Security / Authentication:

to
900 (instead of 3600). Save and restart Cognos Analytics.
If you are a supported customer, I guess you need to contact IBM Support.
Best regards,
------------------------------
Patrick Neveu
BSL Consulting
IBM Champion
------------------------------
Original Message:
Sent: Tue July 08, 2025 06:42 AM
From: James Hicks
Subject: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.
Has anyone been hit with this during your scans. We were told with SSO there is no work around and we submitted an enhancement request years ago. We tried this with MFA using IdP and still does not take you back to the login screen. Cognos doesnt prompt for a new login. Any recommendations or explanations you may have used to pass your internal audits ?
CWE-613: Insufficient Session Expiration
The application did not invalidate the user session after 15
minutes of inactivity. Keeping the session valid for a longer
period of time increases the chances of it being stolen, hijacked,
or replayed. It can also lead to the unauthorized disclosure of
sensitive information displayed within the browser window.
------------------------------
James Hicks
------------------------------