Snowflake sessions and session policies¶

Snowsight session expiration and logout behavior¶

• A Snowsight session remains active as long as the user is interacting with the application and has not exceeded the configured idle session timeout.

• The session idle timeout is controlled by your organization’s session policy (the default is 4 hours). If there is no activity for longer than this period, the session will expire and you will be logged out automatically.

• In addition to idle timeout, session persistence is also affected by authentication cookies:

  • In most cases, closing and reopening your browser will end your Snowsight session, regardless of your idle time.

  • If your authentication cookie expires (typically after 24 hours), you will be required to log in again, even if you have not been idle for longer than the session timeout.

• If your network connection is lost or you attempt to access Snowsight from a disallowed network, your session may be closed and you will be logged out.

• When a session is closed for any reason, any running queries or jobs associated with that session will be terminated after a short delay (usually within a few minutes).

Monitor session usage¶

You can monitor active sessions and session usage using Snowsight or a SQL view. You can view your own sessions, or use a role with access to view the SESSIONS view to view sessions for your account. See ACCOUNT_USAGE schema SNOWFLAKE database roles.

SQL:

Query the SESSIONS view in the ACCOUNT USAGE schema of the shared SNOWFLAKE database to monitor session usage.

Snowsight:

In the navigation menu, select Governance & security » Network policies, and then select the Sessions tab. You can review the session ID, user name, start time, client driver in use for the session, client net address, and authentication method. Hover over the start time to view the exact date and time that the session started, in your local time zone.

Secondary roles in a session policy¶

When a user connects to Snowflake and the session begins, the user can activate secondary roles with a USE SECONDARY ROLES command. However, as a security administrator, you might want to manage the secondary roles that are available to an individual user, groups of users, or the entire account. Managing secondary roles helps to scope the set of privileges available to a user for the duration of the session.

To meet these management needs, you can set the ALLOWED_SECONDARY_ROLES property in a session policy and set the session policy on the account or a user in the account. This property controls the secondary roles that can be activated in a session. Setting this property to an empty list ALLOWED_SECONDARY_ROLES=() disables secondary roles in a session.

For examples, see Specifying secondary roles in a session policy.

Considerations¶

• If a client supports the CLIENT_SESSION_KEEP_ALIVE option and the option is set to TRUE, the client preserves the Snowflake session indefinitely as long as the connection to Snowflake is active. Otherwise, if the option is set to FALSE, the session ends after 4 hours. When possible, avoid using this option since it can result in many open sessions and place a greater demand on resources which can lead to a performance degradation.

• You can use the CLIENT_SESSION_KEEP_ALIVE_HEARTBEAT_FREQUENCY parameter to specify the number of seconds between client attempts to update the token for the session. The web interface session can be refreshed as Snowflake objects continue to be used, such as executing DDL and DML statements. Snowflake checks for this behavior every 30 seconds.

• Creating a new worksheet or opening an existing worksheet continues to use the established user session but with its idle session timeout reset to 0.

Limitations¶

Future grants:

Future grants of privileges on session policies are not supported.

As a workaround, grant the APPLY SESSION POLICY privilege to a custom role to allow that role to apply session policies on a user or the Snowflake account.