AnsweredAssumed Answered

Netsuite New Absolute Session Timeout Enforced for Web Services (April 1, 2017)

Question asked by Sjaak Overgaauw on Apr 7, 2017
Latest reply on Apr 24, 2017 by Sjaak Overgaauw


For your info. I received this email this afternoon.


Question: does this mean that Boomi processes running longer than 1 hour will be killed automatically?


This timeout defines the maximum amount of time a session can be active.


Full message


In April, 2017, a new absolute session timeout will be enforced for web services. Specifically, this timeout will apply to the web services login operation. You are receiving this notification because you use the login operation or the ssoLogin operation (used for Inbound Single Sign-on) with your web services integrations.


Currently, web services sessions are already subject to a 20-minute idle session timeout, and a 15-minute operation timeout. Before this change goes into effect, ensure your web services integrations can also handle this new 60-minute absolute session timeout.


What is Changing?Recommended Action

In April, 2017, a new 60-minute absolute session timeout for web services integrations will be enforced. Enforcing an absolute session timeout follows Open Web Application Security Project (OWASP) guidelines.


  • Consider using sessionless protocols based on request level credentials, such as User Credentials or Token-based Authentication (TBA) instead of sessions with your web services integrations. Using a sessionless protocol eliminates the need to implement session management on the client side.
  • If your web services integration is experiencing problems with the 15-minute operation timeout, consider using asynchronous calls.


About the OWASP Absolute Session Timeout Guideline

OWASP provides the following guideline: “All sessions should implement an absolute timeout, regardless of session activity. This timeout defines the maximum amount of time a session can be active. The session is closed and invalidated upon the defined absolute period, because the given session was initially created by the web application. After the session is invalidated, the user must authenticate (log in) again in the web application and establish a new session.

The absolute session timeout limits the amount of time possible for a potential attacker to use a hijacked session to impersonate a user.” For more information from OWASP, see To link directly to the information about absolute timeout, go to

For more information about the recommended actions, see the following in the NetSuite Help Center or SuiteAnswers:

If you require assistance or more information, please contact NetSuite Customer Support.


Thank you,
The NetSuite Team