Suggested Timeout Settings for CSM

Learn about the many timeout settings in CSM and its supporting services. You can implement our suggested timeout settings for improved performance.

We suggest a timeout of 90 minutes as a baseline. You'll base many of your timeout settings throughout the system on this value. The following information describes how CSM uses the various timeout settings in CSM, Cherwell Application Server, and IIS. You'll also find suggested timeout values based on the 90-minute baseline.

CSM Desktop Client

You can implement an inactivity timeout for the CSM Desktop Client using the Logout inactive users from Cherwell after option under Security Settings. The Desktop Client keeps track of the "last touched" time, which is updated by user activity. The Desktop Client checks every minute to see if a logged-in user has been inactive for longer than the configured timeout. If the Desktop Client does not detect any activity within the specified timeout, it sends a "logout" request to the application server, and displays a dialog box telling the user they have been logged out due to inactivity.

To implement our suggested Desktop Client timeout settings:

  1. In CSM Administrator, navigate to Security > Security Settings > Desktop Client.
  2. Set Logout inactive users from Cherwell after to 90 minutes.

    You can also set a Warning period, which dictates how long before the inactivity timer expires users will get a warning before being disconnected.

CSM Browser Client and CSM Portal

The same inactivity timeout setting is available for the CSM Browser Client and CSM Portal. This session timeout must be smaller than the IIS Application Pool Idle Timeout-out setting.

To implement our suggested CSM Browser Client and CSM Portal timeout settings:

  1. In CSM Administrator, navigate to Browser and Mobile > Browser Application Settings.
  2. Under the Session Timeout section, set Timeout to 90 minutes.

    Remember to ensure the IIS Application Pool timeout setting is 5-10 minutes higher than this setting. The IIS Session State timeout setting should match the CSM session timeout setting.

Cherwell Application Server

The Cherwell Application Server has a variety of settings dealing with timeouts and inactivity. The Cherwell Application Server timestamps the last action registered for a given user, and periodically reviews all logged-in users to see if any user has not reported activity within the designated timeframe. If not, the user is removed from the cache of logged-in users, causing clients to log the user out and display a log-out message.

The application server keeps track of users using a key constructed of three parts:

  • User ID
  • Module (client) the user is logged into
  • A unique session key that is assigned to the user when they log in, which is stored in the logged-in users cache/table
When the application server applies a timestamp to a user's activity, it stores the timestamp using the most recent session key created for the user, which means that only activity on the user's most recent login should be tracked.

To implement our suggested Application Server timeout settings:

  1. Navigate to Security > Licensing.
  2. Set If the client stops responding, auto-release license after to 90 minutes.


You can set Idle Time-out (minutes) in Application Pools in IIS to the your desired timeout plus 10 minutes. The IIS Idle Time-out setting controls when the IIS application pool is shut down if no activity is detected within the configured interval. When the application pool is shut down, the Application Server and Web clients will lose their sessions, which can cause users to be logged out. It is recommended that this be set to at least your desired inactivity timeout plus ten minutes, to ensure that the application pool is never recycled while users are still logged in.

By default, the Regular Time Interval (minutes) is set to 1740 minutes (29 hours). We suggest setting this to 0, then setting a Specific Time to recycle the Application Pool. We suggest recycling at 0200; if there are multiple servers separate the recycle times by 15 minutes.

Be sure to coordinate your recycle time with your scheduled tasks and adjust if there are conflicts.

When the application pool is recycled, the Application Server and web clients will lose their current sessions, causing users to be logged out. Schedule this to run during expected down times, such as at 0200.

To implement our suggested IIS timeout settings for a server farm with Redis:

  1. Open IIS and access the Application Pools.
  2. Right-click the Application pool you want to edit and select Advanced Settings. Set the following values:
    Setting NameSuggested Value
    Idle Time-out (minutes)100 minutes
    Regular Time Interval (minutes)0
    Specific Time0200 (if multiple servers, separate recycle times by 15 minutes)
  3. For the Portal and Browser Client sites, double-click Session State and adjust the Time-out (in minutes) to 90 minutes.