authelia/docs/configuration/session.md
2020-12-16 11:31:39 +11:00

2.7 KiB

layout title parent nav_order
default Session Configuration 8

Session

Authelia relies on session cookies to authenticate users. When the user visits a website of the protected domain example.com for the first time, Authelia detects that there is no cookie for that user. Consequently, Authelia redirects the user to the login portal through which the user should authenticate to get a cookie which is valid for *.example.com, meaning all websites of the domain. At the next request, Authelia receives the cookie associated to the authenticated user and can then order the reverse proxy to let the request pass through to the application.

Configuration

session:
  # The name of the session cookie. (default: authelia_session).
  name: authelia_session

  # The secret to encrypt the session data. This is only used with Redis.
  # Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
  secret: unsecure_session_secret

  # The time in seconds before the cookie expires and session is reset.
  expiration: 1h

  # The inactivity time in seconds before the session is reset.
  inactivity: 5m

  # The remember me duration.
  # Value of 0 disables remember me.
  # Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
  # Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
  # or attack. Currently the default is 1M or 1 month.
  remember_me_duration:  1M

  # The domain to protect.
  # Note: the login portal must also be a subdomain of that domain.
  domain: example.com

  # The redis connection details (optional)
  # If not provided, sessions will be stored in memory
  redis:
    host: 127.0.0.1
    port: 6379
    # Use a unix socket instead
    # host: /var/run/redis/redis.sock

    # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
    password: authelia

Security

Configuration of this section has an impact on security. You should read notes in security measures for more information.

Duration Notation

The configuration parameters expiration, inactivity, and remember_me_duration use duration notation. See the documentation for duration notation format for more information.

IPv6 Addresses

If utilising an IPv6 literal address it must enclosed by square brackets and quoted:

host: "[fd00:1111:2222:3333::1]"

Loading a password from a secret instead of inside the configuration

Password can also be defined using a secret.