* added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2.3 KiB
layout | title | parent | nav_order |
---|---|---|---|
default | Session | Configuration | 9 |
Session
Authelia relies on session cookies to authenticate users. When the user visits
a website of the protected domain example.com
for the first time, Authelia detects
that there is no cookie for that user. Consequently, Authelia redirects the user
to the login portal through which the user should authenticate to get a cookie which
is valid for *.example.com
, meaning all websites of the domain.
At the next request, Authelia receives the cookie associated to the authenticated user
and can then order the reverse proxy to let the request pass through to the application.
Configuration
session:
# The name of the session cookie. (default: authelia_session).
name: authelia_session
# The secret to encrypt the session cookie.
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET
secret: unsecure_session_secret
# The time in seconds before the cookie expires and session is reset.
expiration: 1h
# The inactivity time in seconds before the session is reset.
inactivity: 5m
# The remember me duration.
# Value of 0 disables remember me.
# Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
# Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
# or attack. Currently the default is 1M or 1 month.
remember_me_duration: 1M
# The domain to protect.
# Note: the login portal must also be a subdomain of that domain.
domain: example.com
# The redis connection details (optional)
# If not provided, sessions will be stored in memory
redis:
host: 127.0.0.1
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD
password: authelia
Security
Configuration of this section has an impact on security. You should read notes in security measures for more information.
Duration Notation
The configuration parameters expiration, inactivity, and remember_me_duration use duration notation. See the documentation for duration notation format for more information.