Skip to main content
Session and logout service extensions let you customize how long sessions stay active and what happens after a user logs out. Use these hooks to implement dynamic session timeouts based on user role, risk level, or compliance requirements, and to perform cleanup or redirect actions after logout.

Request Lifecycle

Session Enforcement

The Orchestrator checks session timeouts on every request before processing it. These hooks let you apply custom timeout logic. evalMaxLifetimeSE is checked first, followed by evalIdleTimeoutSE. If either hook returns true, the session is terminated and the user is redirected back to the same URL, which triggers a fresh session.

Single Logout

The single logout flow processes each configured identity provider’s logout sequentially before terminating the session. When configured, postLogoutSE replaces the default post-logout behavior. You have full control over the response — redirect to a custom page, clean up external resources, or send notifications.

Hooks

evalIdleTimeoutSE

Decide whether a session should expire based on how long the user has been inactive. Return true to end the session, or false to keep it active. Use this to apply different idle timeouts based on user role, risk level, or which application the user is accessing. Signature: 
func EvalIdleTimeout(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request, lastActivity time.Time) bool
App types: Global session config Config location: session.lifetime.evalIdleTimeoutSE Parameters:
ParameterTypeDescription
apiorchestrator.OrchestratorAccess to sessions, caches, secrets, logging, and other Orchestrator services
rwhttp.ResponseWriterThe HTTP response writer for the current request
req*http.RequestThe incoming HTTP request
lastActivitytime.TimeTimestamp of the user’s last activity
Returns: booltrue if the session should be expired due to idle timeout, false to keep it active.

evalMaxLifetimeSE

Decide whether a session should expire based on how long it has been active, regardless of user activity. Return true to end the session, or false to keep it active. Use this to enforce different session lifetimes based on authentication strength, user role, or compliance requirements. Signature: 
func EvalMaxLifetime(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request, sessionStart time.Time) bool
App types: Global session config Config location: session.lifetime.evalMaxLifetimeSE Parameters:
ParameterTypeDescription
apiorchestrator.OrchestratorAccess to sessions, caches, secrets, logging, and other Orchestrator services
rwhttp.ResponseWriterThe HTTP response writer for the current request
req*http.RequestThe incoming HTTP request
sessionStarttime.TimeTimestamp when the session was created
Returns: booltrue if the session should be expired due to max lifetime, false to keep it active.

postLogoutSE

Run custom logic after the user has been logged out of all identity providers. Use this to clean up external resources, send notifications to downstream systems, record an audit event, or redirect the user to a custom post-logout page. Signature: 
func PostLogout(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request)
App types: Global SLO config Config location: singleLogout.postLogout.postLogoutSE Parameters:
ParameterTypeDescription
apiorchestrator.OrchestratorAccess to sessions, caches, secrets, logging, and other Orchestrator services
rwhttp.ResponseWriterThe HTTP response writer — use to redirect or return a custom response
req*http.RequestThe incoming HTTP request

Service Extensions Overview

Configuration, SDK reference, and best practices

Sessions

Session configuration and lifetime settings

Single Logout

Single logout configuration and flow