How to manage session timeout security on Binance web login?

Session Timeout Configuration

1. Binance enforces automatic session termination after 30 minutes of inactivity on the web interface.

2. Users cannot manually extend the timeout duration through account settings or dashboard controls.

3. The timeout value is hardcoded into the frontend authentication layer and synchronized with backend session validation logic.

4. Session expiration triggers immediate revocation of the current JWT token and invalidates all associated WebSocket connections.

5. Upon timeout, users are redirected to the login page without preserving any unsaved order entries or open modal states.

Real-Time Session Monitoring

1. Each active session is assigned a unique session ID mapped to a Redis cache entry with TTL set to match the 30-minute window.

2. Every API request updates the TTL timestamp only if the request originates from a valid origin header and includes an unexpired access token.

3. Concurrent login detection activates when a new authentication event occurs under the same user ID, forcing immediate invalidation of all prior sessions.

4. Session metadata—including device fingerprint, geolocation coordinates, and TLS handshake hash—is logged for forensic analysis upon timeout events.

5. Users receive no notification before timeout but see a persistent countdown banner in the top-right corner starting at 5 minutes remaining.

Two-Factor Authentication Interaction

1. TOTP-based second factor does not alter the base timeout interval but requires re-authentication after every session reset.

2. Hardware security keys registered via WebAuthn bypass the standard timeout mechanism only during initial sign-in—not during subsequent activity.

3. SMS-based 2FA codes remain valid for 5 minutes post-generation but expire immediately upon session termination regardless of remaining code lifetime.

4. Authy and Google Authenticator tokens are validated against Binance’s time-synced NTP servers; clock drift beyond 30 seconds causes rejection even within timeout window.

5. Recovery codes are consumed one-time per use and do not influence session longevity or renewal behavior.

Browser-Level Security Enforcement

1. The Binance web client sets HttpOnly and Secure flags on all session cookies, preventing JavaScript access and transmission over non-HTTPS channels.

2. SameSite=Strict attribute blocks cross-origin requests that could otherwise prolong or hijack sessions via embedded iframes.

3. Cache-Control headers explicitly forbid browser caching of sensitive endpoints like /api/v3/account or /sapi/v1/capital/config/getall.

4. Subresource Integrity (SRI) hashes validate all external script loads, ensuring no injected payload can manipulate session timers or override logout handlers.

5. Content Security Policy directives restrict inline scripts and eval usage, eliminating common vectors for session fixation attacks.

Frequently Asked Questions

Q: Can I disable session timeout entirely?No. Binance does not provide any UI toggle, API endpoint, or support channel to disable or configure session timeout duration.

Q: Does using Binance mobile app affect web session timing?No. Mobile app sessions operate independently and do not extend or synchronize with web session lifetimes.

Q: What happens to pending limit orders when session times out?Pending orders remain active on the exchange matching engine; only UI state and session-bound order management functions are lost.

Q: Is there a way to recover session data after timeout without re-login?No. All session-scoped data—including open trade panels, chart configurations, and notification preferences—is discarded permanently upon timeout.