How long can users be inactive in GAS before they are required to log in again? Can this session timeout be changed?

The Idle Session Timeout is the number of minutes a user session can be inactive before Grand Avenue requires entry of a valid user ID and password to continue working. (A session that has timed out can be resumed without loss of unsaved data by logging in using a different web browser tab.)

Grand Avenue’s idle session timeout can be decreased to any value below the default of 60 minutes. While FDA does not provide guidance on the maximum acceptable idle timeout, Grand Avenue strongly recommends that customers do not exceed 60 minutes.

The session timeout is a critical part of 21 CFR Part 11 compliance, and because systems may be accessed from uncontrolled client machines (personal phones and laptops), shorter timeout values lower the risk of unauthorized access and activity.

Note: The idle time for a user session is determined by the last time the user clicked a button. Typing in fields and navigating within a page without clicking buttons do not reset the idle time.

Hosted Grand Avenue Installations

Customers with installations hosted by Grand Avenue should contact support@grandavenue.com to request changes to their idle session timeout.

On Premise Grand Avenue Installations

Changing the idle session timeout requires access to the IIS (Internet Information Services) web server, which is usually limited to an organization’s IT staff.

Modify the Web.config file (usually found in the wwwroot\GrandAvenue folder) as shown below to change the timeout value (in minutes).

Changes to the Web.config file automatically trigger a restart of the application pool, so no actions should be required beyond making these changes and saving the file.