diff --git a/app.py b/app.py
index 878f4518b40524ec4f77b8a4ae422fad1bb240f5..b91ee7dd34b471a416a168cfb8d43428add111f8 100644
--- a/app.py
+++ b/app.py
@@ -16,9 +16,16 @@ def create_app(test_config=None):
 	# oauthlib enforces the OAuth2.0 requirement to use HTTPS, when this is not set
 	os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # That behaviour sucks, so disable it
 
+	def session_valid():
+		if not session.get('user_id'):
+			return False
+		if datetime.datetime.now().timestamp() > session['logintime'] + current_app.config['SESSION_LIFETIME_SECONDS']:
+			return False
+		return True
+
 	@app.route("/auth")
 	def auth():
-		if not session.get('user_id'):
+		if not session_valid():
 			abort(401)
 		resp = Response('Ok', 200)
 		resp.headers['OAUTH-USER-ID'] = session['user_id']
@@ -38,6 +45,7 @@ def create_app(test_config=None):
 		client = get_oauth()
 		url, state = client.authorization_url(app.config['OAUTH2_AUTH_URL'])
 		session['state'] = state
+		session['logintime'] = datetime.datetime.now().timestamp()
 		parts = request.full_path.split('?rawurl=', 1)
 		if len(parts) == 2:
 			session['url'] = parts[1]
diff --git a/default_config.py b/default_config.py
index 4d3d06163730cda9b6e2838fcd5e344d9fee7e7e..cb01286cb4a66c628bae1d60dacf85bda42d6146 100644
--- a/default_config.py
+++ b/default_config.py
@@ -12,3 +12,4 @@ OAUTH2_USERINFO_URL = 'http://localhost:5001/oauth2/userinfo'
 SESSION_COOKIE_SECURE=True
 SESSION_COOKIE_HTTPONLY=True
 SESSION_COOKIE_SAMESITE='Strict'
+SESSION_LIFETIME_SECONDS=3600