mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
b9fb33d806
* [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
63 lines
2.3 KiB
Markdown
63 lines
2.3 KiB
Markdown
---
|
|
layout: default
|
|
title: Session
|
|
parent: Configuration
|
|
nav_order: 9
|
|
---
|
|
|
|
# Session
|
|
|
|
**Authelia** relies on session cookies to authenticate users. When the user visits
|
|
a website of the protected domain `example.com` for the first time, Authelia detects
|
|
that there is no cookie for that user. Consequently, Authelia redirects the user
|
|
to the login portal through which the user should authenticate to get a cookie which
|
|
is valid for `*.example.com`, meaning all websites of the domain.
|
|
At the next request, Authelia receives the cookie associated to the authenticated user
|
|
and can then order the reverse proxy to let the request pass through to the application.
|
|
|
|
## Configuration
|
|
|
|
```yaml
|
|
session:
|
|
# The name of the session cookie. (default: authelia_session).
|
|
name: authelia_session
|
|
|
|
# The secret to encrypt the session cookie.
|
|
# Secret can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
|
|
secret: unsecure_session_secret
|
|
|
|
# The time in seconds before the cookie expires and session is reset.
|
|
expiration: 1h
|
|
|
|
# The inactivity time in seconds before the session is reset.
|
|
inactivity: 5m
|
|
|
|
# The remember me duration.
|
|
# Value of 0 disables remember me.
|
|
# Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/index.html#duration-notation-format
|
|
# Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
|
|
# or attack. Currently the default is 1M or 1 month.
|
|
remember_me_duration: 1M
|
|
|
|
# The domain to protect.
|
|
# Note: the login portal must also be a subdomain of that domain.
|
|
domain: example.com
|
|
|
|
# The redis connection details (optional)
|
|
# If not provided, sessions will be stored in memory
|
|
redis:
|
|
host: 127.0.0.1
|
|
port: 6379
|
|
# Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
|
|
password: authelia
|
|
```
|
|
|
|
### Security
|
|
|
|
Configuration of this section has an impact on security. You should read notes in
|
|
[security measures](../security/measures.md#session-security) for more information.
|
|
|
|
### Duration Notation
|
|
|
|
The configuration parameters expiration, inactivity, and remember_me_duration use duration notation. See the documentation
|
|
for [duration notation format](index.md#duration-notation-format) for more information. |