What could potentially cause users not to be prompted for re-authentication despite session expiration being set for 8 hours?

When session expiration is set for a specific duration, the intended outcome is that users are prompted to re-authenticate once that time has elapsed. While the expiration policy applies generally, there are scenarios where certain devices or environments handle session management differently.

Mobile devices often have separate management policies that can be exempt from standard session expirations. For instance, mobile applications can maintain active sessions in the background or utilize token refresh mechanisms that allow continued access without prompting users for re-authentication, even after the session time limit has been reached. This can create a situation where, despite the expiration setting for 8 hours, users on mobile devices do not receive prompts for re-authentication as the session might still be considered active through other means, such as persistent logins.

Understanding the specific handling of authentication on various platforms, particularly mobile, is essential in addressing user experience and security concerns related to session management.