techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
dca8a5343a
authelia/docs/configuration/session.md
James Elliott b9fb33d806
[FEATURE] File Secrets (#896) 
* [FEATURE] File Secret Loading

* add a validator for secrets
* run the secrets validator before the main config validator
* only allow a secret to be defined in one of: config, env, file env
* remove LF if found in file
* update configuration before main config validation
* fix unit tests
* implement secret testing
* refactor the secrets validator
* make check os agnostic
* update docs
* add warning when user attempts to use ENV instead of ENV file
* discourage ENV in docs
* update config template
* oxford comma
* apply suggestions from code review
* rename Validate to ValidateConfiguration
* add k8s example
* add deprecation notice in docs and warning
* style changes
2020-04-23 11:11:32 +10:00

2.3 KiB
Raw Blame History

layout title parent nav_order
default Session Configuration 9

Session

Authelia relies on session cookies to authenticate users. When the user visits a website of the protected domain example.com for the first time, Authelia detects that there is no cookie for that user. Consequently, Authelia redirects the user to the login portal through which the user should authenticate to get a cookie which is valid for *.example.com, meaning all websites of the domain. At the next request, Authelia receives the cookie associated to the authenticated user and can then order the reverse proxy to let the request pass through to the application.

Configuration

session:
  # The name of the session cookie. (default: authelia_session).
  name: authelia_session

  # The secret to encrypt the session cookie.
  # Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
  secret: unsecure_session_secret

  # The time in seconds before the cookie expires and session is reset.
  expiration: 1h

  # The inactivity time in seconds before the session is reset.
  inactivity: 5m

  # The remember me duration.
  # Value of 0 disables remember me.
  # Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
  # Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
  # or attack. Currently the default is 1M or 1 month.
  remember_me_duration:  1M

  # The domain to protect.
  # Note: the login portal must also be a subdomain of that domain.
  domain: example.com

  # The redis connection details (optional)
  # If not provided, sessions will be stored in memory
  redis:
    host: 127.0.0.1
    port: 6379
    # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
    password: authelia

Security

Configuration of this section has an impact on security. You should read notes in security measures for more information.

Duration Notation

The configuration parameters expiration, inactivity, and remember_me_duration use duration notation. See the documentation for duration notation format for more information.