diff --git a/api/auth.go b/api/auth.go
index d8289c106..b06d62922 100644
--- a/api/auth.go
+++ b/api/auth.go
@@ -47,8 +47,8 @@ func getSession(r *http.Request) (*db.Session, bool) {
 		return nil, false
 	}
 
-	if time.Since(session.LastActive).Hours() > 7*24 {
-		// more than week old unused session
+	if time.Since(session.LastActive).Hours() > float64(util.Config.Auth.MaxSessionLifeHours) {
+		// session expired due to inactivity
 		// destroy.
 		if err = helpers.Store(r).ExpireSession(userID, sessionID); err != nil {
 			// it is internal error, it doesn't concern the user
diff --git a/pro/go.mod b/pro/go.mod
index 6fa591924..4eff7283f 100644
--- a/pro/go.mod
+++ b/pro/go.mod
@@ -40,10 +40,10 @@ require (
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/crypto v0.46.0 // indirect
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
 	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	modernc.org/libc v1.66.10 // indirect
diff --git a/pro/go.sum b/pro/go.sum
index 075b3c795..7d0c577c6 100644
--- a/pro/go.sum
+++ b/pro/go.sum
@@ -120,6 +120,7 @@ go.etcd.io/bbolt v1.4.1/go.mod h1:c8zu2BnXWTu2XM4XcICtbGSl9cFwsXtcf9zLt2OncM8=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
 golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
@@ -138,6 +139,7 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
 golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
diff --git a/services/session_svc.go b/services/session_svc.go
index aa40d13c1..5bedc6a78 100644
--- a/services/session_svc.go
+++ b/services/session_svc.go
@@ -49,8 +49,8 @@ func (s *sessionServiceImpl) GetSession(cookie http.Cookie) (*db.Session, bool)
 		return nil, false
 	}
 
-	if time.Since(session.LastActive).Hours() > 7*24 {
-		// more than week old unused session
+	if time.Since(session.LastActive).Hours() > float64(util.Config.Auth.MaxSessionLifeHours) {
+		// session expired due to inactivity
 		// destroy.
 		if err = s.sessionRepo.ExpireSession(userID, sessionID); err != nil {
 			// it is internal error, it doesn't concern the user
diff --git a/util/config_auth.go b/util/config_auth.go
index c5f4ef577..d9c6a44c6 100644
--- a/util/config_auth.go
+++ b/util/config_auth.go
@@ -16,4 +16,9 @@ type EmailAuthConfig struct {
 type AuthConfig struct {
 	Totp  *TotpConfig      `json:"totp,omitempty"`
 	Email *EmailAuthConfig `json:"email,omitempty"`
+
+	// MaxSessionLifeHours defines the maximum lifetime of a session in hours.
+	// After this period of inactivity, the session will expire.
+	// Default is 168 hours (7 days).
+	MaxSessionLifeHours int `json:"max_session_life_hours,omitempty" default:"168" env:"SEMAPHORE_MAX_SESSION_LIFE_HOURS"`
 }