> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Session & Logout

Session and logout service extensions let you customize how long sessions stay active and what happens after a user logs out. Use these hooks to implement dynamic session timeouts based on user role, risk level, or compliance requirements, and to perform cleanup or redirect actions after logout.

## Request Lifecycle

### Session Enforcement

The Orchestrator checks session timeouts on every request before processing it. These hooks let you apply custom timeout logic.

```mermaid theme={null}
%%{init: {'theme': 'neutral', 'themeVariables': {'edgeWidth': 4}}}%%
flowchart TD
    REQ[Incoming request] --> FRESH{Session is new?}
    FRESH -- Yes --> NEXT[Continue to application]
    FRESH -- No --> MAX{evalMaxLifetimeSE — session expired?}
    MAX -- expired --> TERM1[Terminate session and redirect]
    MAX -- still valid --> IDLE{evalIdleTimeoutSE — idle too long?}
    IDLE -- expired --> TERM2[Terminate session and redirect]
    IDLE -- still valid --> BUILTIN[Built-in timeout checks]
    BUILTIN --> NEXT

    classDef hook stroke:#6A3EC8,stroke-width:6px
    class MAX,IDLE hook
```

`evalMaxLifetimeSE` is checked first, followed by `evalIdleTimeoutSE`. If either hook returns `true`, the session is terminated and the user is redirected back to the same URL, which triggers a fresh session.

### Single Logout

The single logout flow processes each configured identity provider's logout sequentially before terminating the session.

```mermaid theme={null}
%%{init: {'theme': 'neutral', 'themeVariables': {'edgeWidth': 4}}}%%
flowchart TD
    REQ[User starts logout] --> IDP{Any identity provider sessions remaining?}
    IDP -- Yes --> LOGOUT[Log out from identity provider]
    LOGOUT --> REQ
    IDP -- No --> TERM[End session and clear cookies]
    TERM --> SE[postLogoutSE]
    SE --> REDIR{Redirect URL configured?}
    REDIR -- Yes --> R[Redirect to post-logout page]
    REDIR -- No --> MSG[Show logged out message]

    classDef hook stroke:#6A3EC8,stroke-width:6px
    class SE hook
```

When configured, `postLogoutSE` replaces the default post-logout behavior. You have full control over the response -- redirect to a custom page, clean up external resources, or send notifications.

## Hooks

### `evalIdleTimeoutSE`

Decide whether a session should expire based on how long the user has been inactive. Return `true` to end the session, or `false` to keep it active. Use this to apply different idle timeouts based on user role, risk level, or which application the user is accessing.

**Signature:**

```go theme={null}
func EvalIdleTimeout(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request, lastActivity time.Time) bool
```

**App types:** Global session config

**Config location:** `session.lifetime.evalIdleTimeoutSE`

**Parameters:**

| Parameter      | Type                        | Description                                                                   |
| -------------- | --------------------------- | ----------------------------------------------------------------------------- |
| `api`          | `orchestrator.Orchestrator` | Access to sessions, caches, secrets, logging, and other Orchestrator services |
| `rw`           | `http.ResponseWriter`       | The HTTP response writer for the current request                              |
| `req`          | `*http.Request`             | The incoming HTTP request                                                     |
| `lastActivity` | `time.Time`                 | Timestamp of the user's last activity                                         |

**Returns:** `bool` -- `true` if the session should be expired due to idle timeout, `false` to keep it active.

***

### `evalMaxLifetimeSE`

Decide whether a session should expire based on how long it has been active, regardless of user activity. Return `true` to end the session, or `false` to keep it active. Use this to enforce different session lifetimes based on authentication strength, user role, or compliance requirements.

**Signature:**

```go theme={null}
func EvalMaxLifetime(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request, sessionStart time.Time) bool
```

**App types:** Global session config

**Config location:** `session.lifetime.evalMaxLifetimeSE`

**Parameters:**

| Parameter      | Type                        | Description                                                                   |
| -------------- | --------------------------- | ----------------------------------------------------------------------------- |
| `api`          | `orchestrator.Orchestrator` | Access to sessions, caches, secrets, logging, and other Orchestrator services |
| `rw`           | `http.ResponseWriter`       | The HTTP response writer for the current request                              |
| `req`          | `*http.Request`             | The incoming HTTP request                                                     |
| `sessionStart` | `time.Time`                 | Timestamp when the session was created                                        |

**Returns:** `bool` -- `true` if the session should be expired due to max lifetime, `false` to keep it active.

***

### `postLogoutSE`

Run custom logic after the user has been logged out of all identity providers. Use this to clean up external resources, send notifications to downstream systems, record an audit event, or redirect the user to a custom post-logout page.

**Signature:**

```go theme={null}
func PostLogout(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request)
```

**App types:** Global SLO config

**Config location:** `singleLogout.postLogout.postLogoutSE`

**Parameters:**

| Parameter | Type                        | Description                                                                   |
| --------- | --------------------------- | ----------------------------------------------------------------------------- |
| `api`     | `orchestrator.Orchestrator` | Access to sessions, caches, secrets, logging, and other Orchestrator services |
| `rw`      | `http.ResponseWriter`       | The HTTP response writer -- use to redirect or return a custom response       |
| `req`     | `*http.Request`             | The incoming HTTP request                                                     |

## Related Pages

<CardGroup cols={2}>
  <Card title="Service Extensions Overview" icon="code" href="/reference/orchestrator/service-extensions">
    Configuration, SDK reference, and best practices
  </Card>

  <Card title="Sessions" icon="id-badge" href="/reference/orchestrator/sessions">
    Session configuration and lifetime settings
  </Card>

  <Card title="Single Logout" icon="right-from-bracket" href="/reference/orchestrator/sessions/logout">
    Single logout configuration and flow
  </Card>
</CardGroup>
