Bubble sessions last indefinitely by default, which can be a security risk. This tutorial shows you how to control session duration using custom states, scheduled workflows, and page-level checks to automatically log users out after a set idle period and redirect them to the login page.
Overview: Managing Session Expiration in Bubble
By default, Bubble keeps users logged in until they explicitly log out or clear their browser cookies. For many apps, especially those handling sensitive data, you need sessions to expire after a period of inactivity. This tutorial shows you how to build a session timeout system using custom states, page-load workflows, and the Do When Condition Is True event. No plugins are required.
Prerequisites
- A Bubble app with a working login system
- At least one protected page (dashboard, account, etc.)
- Basic understanding of Bubble workflows and custom states
Step-by-step guide
Add a last_active timestamp to the User Data Type
Add a last_active timestamp to the User Data Type
Go to the Data tab and open the User Data Type. Click Create a new field. Name it last_active and set the type to date. This field will store the timestamp of the user's most recent activity. Every time the user performs an action, you will update this field to the current date/time.
Expected result: The User Data Type now has a last_active field of type date.
Update last_active on every page load
Update last_active on every page load
On each protected page in your app, go to the Workflow tab. Create a new workflow with the event Page is loaded. Add the condition: Only when Current User is logged in. Add the action Make Changes to Current User and set last_active to Current date/time. This ensures that every time a user navigates to a page or refreshes, their activity timestamp is updated.
Pro tip: Use a Reusable Element that appears on all protected pages to avoid duplicating this workflow on every page.
Expected result: The last_active field is updated to the current time whenever a logged-in user loads any protected page.
Create a session timeout check with Do When Condition Is True
Create a session timeout check with Do When Condition Is True
On your main protected page (or in a reusable element shared across pages), go to the Workflow tab. Add a new event: Do when condition is true. Set the condition to: Current User's last_active < Current date/time + seconds: -1800 (this checks if the user has been inactive for 30 minutes — adjust the number of seconds for your needs). Check the Run this Every time box. In the actions, add: (1) Log the user out. (2) Go to page: login. (3) Optionally, show an alert: Your session has expired. Please log in again.
Pro tip: Bubble evaluates Do When Condition Is True roughly every few seconds, so the logout will happen within a short window after the timeout period.
Expected result: Users who have been inactive for 30 minutes are automatically logged out and redirected to the login page.
Show a session expiration warning
Show a session expiration warning
To give users a heads-up before they are logged out, add another Do When Condition Is True event with the condition: Current User's last_active < Current date/time + seconds: -1500 (25 minutes, giving a 5-minute warning). In the actions, show a Popup or Alert element with a message like: Your session will expire in 5 minutes. Click anywhere to stay logged in. Add a Button in the popup that triggers a workflow to Make Changes to Current User setting last_active to Current date/time, which resets the timer.
Expected result: Users see a warning popup 5 minutes before their session expires, with an option to extend it.
Protect pages against expired sessions on load
Protect pages against expired sessions on load
Add a Page is loaded workflow to each protected page (or the shared reusable element). Set the condition: Only when Current User is not logged in. In the actions, add Go to page: login. This handles cases where the user's browser cookie has been cleared or the session expired while the tab was inactive.
Expected result: Any user who lands on a protected page without a valid session is immediately redirected to the login page.
Complete working example
1SESSION MANAGEMENT WORKFLOW SUMMARY2====================================34DATA STRUCTURE:5 User Data Type additions:6 - last_active (date)78ACTIVITY TRACKING (All protected pages → Page is loaded):9 Condition: Only when Current User is logged in10 Action: Make Changes to Current User11 → last_active = Current date/time1213SESSION TIMEOUT CHECK (Reusable element → Do when condition is true):14 Condition: Current User's last_active < Current date/time +(seconds): -180015 Run this: Every time16 Actions:17 1. Log the user out18 2. Go to page: login19 3. Alert: "Your session has expired. Please log in again."2021EXPIRATION WARNING (Reusable element → Do when condition is true):22 Condition: Current User's last_active < Current date/time +(seconds): -150023 Run this: Every time24 Actions:25 1. Show Popup: SessionWarning26 Popup contains:27 - Text: "Your session will expire in 5 minutes"28 - Button: "Stay Logged In"29 → Make Changes to Current User: last_active = Current date/time30 → Hide Popup: SessionWarning3132PAGE PROTECTION (All protected pages → Page is loaded):33 Condition: Only when Current User is not logged in34 Action: Go to page: login3536CONFIGURATION:37 - 1800 seconds = 30-minute timeout38 - 1500 seconds = 25 minutes (5-min warning)39 - Adjust both values to match your security needsCommon mistakes when managing session expiration in Bubble
Why it's a problem: Using only client-side custom states for session tracking
How to avoid: Store the last_active value in the User Data Type (server-side), not in a custom state
Why it's a problem: Forgetting to update last_active on user actions
How to avoid: Also update last_active on key actions like form submissions, button clicks, and navigations
Why it's a problem: Not checking login status on page load
How to avoid: Add a Page is loaded check on every protected page that redirects to login if Current User is not logged in
Best practices
- Use a Reusable Element for session management so the logic exists in one place across all pages
- Store activity timestamps in the database, not in custom states, for persistence across page loads
- Set your timeout duration based on your app's sensitivity — 15 minutes for financial apps, 30-60 minutes for general apps
- Show a warning popup before the session expires so users can extend their session with one click
- Log session expiration events in a separate Data Type for security auditing
- Test your timeout by temporarily setting it to 2-3 minutes to verify the flow works end to end
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm building a Bubble.io app and need to implement session expiration. Users should be automatically logged out after 30 minutes of inactivity, with a warning at 25 minutes. I have a login page and a dashboard. Can you describe the exact workflows and data fields I need?
Set up session timeout for my app. I need users to be automatically logged out after 30 minutes of inactivity, with a 5-minute warning. Add the required fields to the User Data Type and create the workflows.
Frequently asked questions
How long do Bubble sessions last by default?
Bubble sessions are persistent by default — users stay logged in until they explicitly log out or clear their browser cookies. There is no built-in session timeout setting.
Does the session timeout work when the browser tab is in the background?
The Do When Condition Is True event may not fire reliably when the tab is in the background. The Page is loaded check provides a safety net — when the user returns to the tab, the page re-evaluates and redirects if the session has expired.
Will this approach use a lot of Workload Units?
The main cost is the Make Changes to Current User action on page load, which is roughly 0.5 WU per update. The Do When Condition checks are client-side evaluations that do not consume server WUs.
Can I set different timeout durations for different user roles?
Yes. In the Do When Condition, add role-based logic. For example, check if Current User's role is Admin and use a shorter timeout value, or if role is Regular use a longer one.
How do I handle session expiration in a single-page app design?
If you use group-based navigation instead of multiple pages, attach the session check to a floating group that is present across all views. Update last_active whenever the user switches views or interacts with key elements.
Can RapidDev help with more advanced session management?
Yes. RapidDev has built enterprise-grade session management systems in Bubble including multi-device session tracking, forced logout across all devices, and audit logging. Reach out if your requirements go beyond basic idle timeout.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation