Update docs

docs/user/security/authentication/index.asciidoc

@@ -188,9 +188,10 @@ The following sections apply both to <<saml>> and <<oidc>>
 
 Once the user logs in to {kib} Single Sign-On, either using SAML or OpenID Connect, {es} issues access and refresh tokens
 that {kib} encrypts and stores them in its own session cookie. This way, the user isn't redirected to the Identity Provider
-for every request that requires authentication. It also means that the {kib} session depends on the `xpack.security.sessionTimeout` 
-setting and the user is automatically logged out if the session expires. An access token that is stored in the session cookie 
-can expire, in which case {kib} will automatically renew it with a one-time-use refresh token and store it in the same cookie.
+for every request that requires authentication. It also means that the {kib} session depends on the `xpack.security.session.idleTimeout`
+and `xpack.security.session.lifespan` settings, and the user is automatically logged out if the session expires. An access token
+that is stored in the session cookie can expire, in which case {kib} will automatically renew it with a one-time-use refresh
+token and store it in the same cookie.
 
 {kib} can only determine if an access token has expired if it receives a request that requires authentication. If both access
 and refresh tokens have already expired (for example, after 24 hours of inactivity), {kib} initiates a new "handshake" and

docs/user/security/securing-kibana.asciidoc

@@ -56,16 +56,31 @@ xpack.security.encryptionKey: "something_at_least_32_characters"
 For more information, see <<security-settings-kb,Security Settings in {kib}>>.
 --
 
-. Optional: Change the default session duration. By default, sessions stay
-active until the browser is closed. To change the duration, set the
-`xpack.security.sessionTimeout` property in the `kibana.yml` configuration file.
-The timeout is specified in milliseconds. For example, set the timeout to 600000
-to expire sessions after 10 minutes:
+. Optional: Set a timeout to expire idle sessions. By default, a session stays
+active until the browser is closed. To define a sliding session expiration, set
+the `xpack.security.session.idleTimeout` property in the `kibana.yml`
+configuration file. The idle timeout is specified in milliseconds. For example,
+set the idle timeout to 600000 to expire idle sessions after 10 minutes:
 +
 --
 [source,yaml]
 --------------------------------------------------------------------------------
-xpack.security.sessionTimeout: 600000
+xpack.security.session.idleTimeout: 600000
+--------------------------------------------------------------------------------
+--
+
+. Optional: Change the maximum session duration or "lifespan" -- also known as
+the "absolute timeout". By default, a session stays active until the browser is
+closed; also, if an idle timeout is defined, a session can still be extended
+indefinitely. To define a maximum session lifespan, set the
+`xpack.security.session.lifespan` property in the `kibana.yml` configuration
+file. The lifespan is specified in milliseconds. For example, set the lifespan
+to 28800000 to expire sessions after 8 hours:
++
+--
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.session.lifespan: 28800000
 --------------------------------------------------------------------------------
 --