diff --git a/application/src/main/java/org/thingsboard/server/controller/plugin/TbWebSocketHandler.java b/application/src/main/java/org/thingsboard/server/controller/plugin/TbWebSocketHandler.java
index 9274b989dd..a1c1d56be1 100644
--- a/application/src/main/java/org/thingsboard/server/controller/plugin/TbWebSocketHandler.java
+++ b/application/src/main/java/org/thingsboard/server/controller/plugin/TbWebSocketHandler.java
@@ -59,6 +59,7 @@ import org.thingsboard.server.service.ws.WsCommandsWrapper;
 import org.thingsboard.server.service.ws.notification.cmd.NotificationCmdsWrapper;
 import org.thingsboard.server.service.ws.telemetry.cmd.TelemetryCmdsWrapper;
 
+import javax.annotation.PostConstruct;
 import javax.websocket.RemoteEndpoint;
 import javax.websocket.SendHandler;
 import javax.websocket.SendResult;
@@ -104,6 +105,8 @@ public class TbWebSocketHandler extends TextWebSocketHandler implements WebSocke
     private long pingTimeout;
     @Value("${server.ws.max_queue_messages_per_session:1000}")
     private int wsMaxQueueMessagesPerSession;
+    @Value("${server.ws.auth_timeout_ms:10000}")
+    private int authTimeoutMs;
 
     private final ConcurrentMap<String, WebSocketSessionRef> blacklistedSessions = new ConcurrentHashMap<>();
 
@@ -112,18 +115,23 @@ public class TbWebSocketHandler extends TextWebSocketHandler implements WebSocke
     private final ConcurrentMap<UserId, Set<String>> regularUserSessionsMap = new ConcurrentHashMap<>();
     private final ConcurrentMap<UserId, Set<String>> publicUserSessionsMap = new ConcurrentHashMap<>();
 
-    private final Cache<String, SessionMetaData> pendingSessions = Caffeine.newBuilder()
-            .expireAfterWrite(10, TimeUnit.SECONDS)
-            .<String, SessionMetaData>removalListener((sessionId, sessionMd, removalCause) -> {
-                if (removalCause == RemovalCause.EXPIRED && sessionMd != null) {
-                    try {
-                        close(sessionMd.sessionRef, CloseStatus.POLICY_VIOLATION);
-                    } catch (IOException e) {
-                        log.warn("IO error", e);
+    private Cache<String, SessionMetaData> pendingSessions;
+
+    @PostConstruct
+    private void init() {
+        pendingSessions = Caffeine.newBuilder()
+                .expireAfterWrite(authTimeoutMs, TimeUnit.MILLISECONDS)
+                .<String, SessionMetaData>removalListener((sessionId, sessionMd, removalCause) -> {
+                    if (removalCause == RemovalCause.EXPIRED && sessionMd != null) {
+                        try {
+                            close(sessionMd.sessionRef, CloseStatus.POLICY_VIOLATION);
+                        } catch (IOException e) {
+                            log.warn("IO error", e);
+                        }
                     }
-                }
-            })
-            .build();
+                })
+                .build();
+    }
 
     @Override
     public void handleTextMessage(WebSocketSession session, TextMessage message) {
diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml
index 9421dfa742..b7829d2b88 100644
--- a/application/src/main/resources/thingsboard.yml
+++ b/application/src/main/resources/thingsboard.yml
@@ -76,6 +76,8 @@ server:
     max_entities_per_alarm_subscription: "${TB_SERVER_WS_MAX_ENTITIES_PER_ALARM_SUBSCRIPTION:10000}"
     # Maximum queue size of the websocket updates per session. This restriction prevents infinite updates of WS
     max_queue_messages_per_session: "${TB_SERVER_WS_DEFAULT_QUEUE_MESSAGES_PER_SESSION:1000}"
+    # Maximum time between WS session opening and sending auth command
+    auth_timeout_ms: "${TB_SERVER_WS_AUTH_TIMEOUT_MS:10000}"
   rest:
     server_side_rpc:
       # Minimum value of the server-side RPC timeout. May override value provided in the REST API call.