diff --git a/docs/stackit_config_unset.md b/docs/stackit_config_unset.md
index 4a48b759e..77a2deaac 100644
--- a/docs/stackit_config_unset.md
+++ b/docs/stackit_config_unset.md
@@ -54,7 +54,7 @@ stackit config unset [flags]
       --serverbackup-custom-endpoint                        Server Backup base URL. If unset, uses the default base URL
       --service-account-custom-endpoint                     Service Account API base URL. If unset, uses the default base URL
       --service-enablement-custom-endpoint                  Service Enablement API base URL. If unset, uses the default base URL
-      --session-time-limit                                  Maximum time before authentication is required again. If unset, defaults to 2h
+      --session-time-limit                                  Maximum time before authentication is required again. If unset, defaults to 12h
       --ske-custom-endpoint                                 SKE API base URL. If unset, uses the default base URL
       --sqlserverflex-custom-endpoint                       SQLServer Flex API base URL. If unset, uses the default base URL
       --token-custom-endpoint                               Custom token endpoint of the Service Account API, which is used to request access tokens when the service account authentication is activated. Not relevant for user authentication.
diff --git a/internal/cmd/config/profile/import/template/profile.json b/internal/cmd/config/profile/import/template/profile.json
index ab56ce66b..dbc0bad02 100644
--- a/internal/cmd/config/profile/import/template/profile.json
+++ b/internal/cmd/config/profile/import/template/profile.json
@@ -25,7 +25,7 @@
   "serverbackup_custom_endpoint": "",
   "service_account_custom_endpoint": "",
   "service_enablement_custom_endpoint": "",
-  "session_time_limit": "2h",
+  "session_time_limit": "12h",
   "ske_custom_endpoint": "",
   "sqlserverflex_custom_endpoint": "",
   "token_custom_endpoint": "",
diff --git a/internal/pkg/auth/auth.go b/internal/pkg/auth/auth.go
index ea549a2cb..dd56536d3 100644
--- a/internal/pkg/auth/auth.go
+++ b/internal/pkg/auth/auth.go
@@ -110,15 +110,23 @@ func GetAccessToken() (string, error) {
 
 func getStartingSessionExpiresAtUnix() (string, error) {
 	sessionStart := time.Now()
-	sessionTimeLimitString := viper.GetString(config.SessionTimeLimitKey)
-	sessionTimeLimit, err := time.ParseDuration(sessionTimeLimitString)
+	sessionTimeLimit, err := getSessionExpiration()
 	if err != nil {
-		return "", fmt.Errorf("parse session time limit \"%s\": %w", sessionTimeLimitString, err)
+		return "", err
 	}
 	sessionExpiresAt := sessionStart.Add(sessionTimeLimit)
 	return strconv.FormatInt(sessionExpiresAt.Unix(), 10), nil
 }
 
+func getSessionExpiration() (time.Duration, error) {
+	sessionTimeLimitString := viper.GetString(config.SessionTimeLimitKey)
+	duration, err := time.ParseDuration(sessionTimeLimitString)
+	if err != nil {
+		return 0, fmt.Errorf("parse session time limit \"%s\": %w", sessionTimeLimitString, err)
+	}
+	return duration, nil
+}
+
 func getEmailFromToken(token string) (string, error) {
 	// We can safely use ParseUnverified because we are not authenticating the user at this point,
 	// We are parsing the token just to get the service account e-mail
diff --git a/internal/pkg/auth/user_login.go b/internal/pkg/auth/user_login.go
index 8ac94743e..0921aa5a4 100644
--- a/internal/pkg/auth/user_login.go
+++ b/internal/pkg/auth/user_login.go
@@ -121,8 +121,13 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 	// Initialize the code verifier
 	codeVerifier := oauth2.GenerateVerifier()
 
+	// Generate max age based on the session time limit
+	maxSessionDuration, err := getSessionExpiration()
+	if err != nil {
+		return err
+	}
 	// Construct the authorization URL
-	authorizationURL := conf.AuthCodeURL("", oauth2.S256ChallengeOption(codeVerifier))
+	authorizationURL := conf.AuthCodeURL("", oauth2.S256ChallengeOption(codeVerifier), oauth2.SetAuthURLParam("max_age", fmt.Sprintf("%d", int64(maxSessionDuration.Seconds()))))
 
 	// Start a web server to listen on a callback URL
 	mux := http.NewServeMux()
diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index 957d7c475..d21d1ceec 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -52,7 +52,7 @@ const (
 
 	AsyncDefault            = false
 	RegionDefault           = "eu01"
-	SessionTimeLimitDefault = "2h"
+	SessionTimeLimitDefault = "12h"
 
 	AllowedUrlDomainDefault = "stackit.cloud"
 )
diff --git a/internal/pkg/config/template/test_profile.json b/internal/pkg/config/template/test_profile.json
index ab56ce66b..dbc0bad02 100644
--- a/internal/pkg/config/template/test_profile.json
+++ b/internal/pkg/config/template/test_profile.json
@@ -25,7 +25,7 @@
   "serverbackup_custom_endpoint": "",
   "service_account_custom_endpoint": "",
   "service_enablement_custom_endpoint": "",
-  "session_time_limit": "2h",
+  "session_time_limit": "12h",
   "ske_custom_endpoint": "",
   "sqlserverflex_custom_endpoint": "",
   "token_custom_endpoint": "",