Back to the knowledgebase

What is an elevated session and why does the CMS sometimes ask me to re-enter my password?

Occasionally, when performing certain actions in the CMS- such as managing user accounts or changing permissions- you may be prompted to confirm your password even though you are already logged in. This is called an elevated session prompt, and it is a deliberate security feature.

What it is
An elevated session is a short-lived period of heightened authentication. When you confirm your password, the CMS grants you elevated access for a limited time- on your site this window is 30 minutes. During that window you can perform sensitive actions without being prompted again. Once it expires, you will be asked to confirm your password if you attempt another sensitive action.

Why it exists
The purpose of elevated sessions is to protect against a scenario where someone gains access to your browser session without your knowledge- for example, if you leave your computer unlocked and unattended. Even if the browser session is active, performing sensitive changes such as creating users, changing roles, or modifying permissions requires a fresh password confirmation. This means briefly accessing an unlocked computer is not sufficient to make significant account-level changes.

What triggers an elevated session prompt
Elevated session prompts are triggered by actions the CMS considers security-sensitive. Day-to-day content editing- creating entries, uploading assets, publishing pages- does not require an elevated session. You are most likely to encounter the prompt when working in the Users section of the control panel.

Similar articles