authelia/docs/configuration/session/index.md
yossbg 05406cfc7b
feat(ntp): check clock sync on startup (#2251)
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-09-17 14:44:35 +10:00

4.9 KiB

layout title parent nav_order has_children
default Session Configuration 13 true

Session

Authelia relies on session cookies to authenticate users. When the user visits a website of the protected domain example.com for the first time, Authelia detects that there is no cookie for that user. Consequently, Authelia redirects the user to the login portal through which the user should authenticate to get a cookie which is valid for *.example.com, meaning all websites of the domain. At the next request, Authelia receives the cookie associated to the authenticated user and can then order the reverse proxy to let the request pass through to the application.

Configuration

session:
  name: authelia_session
  domain: example.com
  same_site: lax
  secret: unsecure_session_secret
  expiration: 1h
  inactivity: 5m
  remember_me_duration:  1M

Providers

There are currently two providers for session storage (three if you count Redis Sentinel as a separate provider):

  • Memory (default, stateful, no additional configuration)
  • Redis (stateless).
  • Redis Sentinel (stateless, highly available).

Kubernetes or High Availability

It's important to note when picking a provider, the stateful providers are not recommended in High Availability scenarios like Kubernetes. Each provider has a note beside it indicating it is stateful or stateless the stateless providers are recommended.

Options

name

type: string {: .label .label-config .label-purple } default: authelia_session {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

The name of the session cookie. By default this is set to authelia_session. It's mostly useful to change this if you are doing development or running multiple instances of Authelia.

domain

type: string {: .label .label-config .label-purple } required: yes {: .label .label-config .label-red }

The domain the cookie is assigned to protect. This must be the same as the domain Authelia is served on or the root of the domain. For example if listening on auth.example.com the cookie should be auth.example.com or example.com.

same_site

type: string {: .label .label-config .label-purple } default: lax {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

Sets the cookies SameSite value. Prior to offering the configuration choice this defaulted to None. The new default is Lax. This option is defined in lower-case. So for example if you want to set it to Strict, the value in configuration needs to be strict.

You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally the most desirable option for Authelia. None is not recommended unless you absolutely know what you're doing and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in this state but it's available as an option anyway.

secret

type: string {: .label .label-config .label-purple } required: yes {: .label .label-config .label-red }

The secret key used to encrypt session data in Redis. It's recommended this is set using a secret.

expiration

type: string (duration) {: .label .label-config .label-purple } default: 1h {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

The time in duration notation format before the cookie expires and the session is destroyed. This is overriden by remember_me_duration when the remember me box is checked.

inactivity

type: string (duration) {: .label .label-config .label-purple } default: 5m {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

The time in duration notation format the user can be inactive for until the session is destroyed. Useful if you want long session timers but don't want unused devices to be vulnerable.

remember_me_duration

type: string (duration) {: .label .label-config .label-purple } default: 1M {: .label .label-config .label-blue } required: no {: .label .label-config .label-green }

The time in duration notation format the cookie expires and the session is destroyed when the remember me box is checked.

Security

Configuration of this section has an impact on security. You should read notes in security measures for more information.

Loading a password from a secret instead of inside the configuration

Password can also be defined using a secret.