authelia/docs/configuration/session.md

---
layout: default
title: Session
parent: Configuration
nav_order: 9
---

# Session

**Authelia** relies on session cookies to authenticate users. When the user visits
a website of the protected domain `example.com` for the first time, Authelia detects
that there is no cookie for that user. Consequently, Authelia redirects the user
to the login portal through which the user should authenticate to get a cookie which
is valid for `*.example.com`, meaning all websites of the domain.
At the next request, Authelia receives the cookie associated to the authenticated user
and can then order the reverse proxy to let the request pass through to the application.

## Configuration

```yaml
session:
  # The name of the session cookie. (default: authelia_session).
  name: authelia_session

  # The secret to encrypt the session cookie.
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET
  secret: unsecure_session_secret

  # The time in seconds before the cookie expires and session is reset.
  expiration: 3600 # 1 hour

  # The inactivity time in seconds before the session is reset.
  inactivity: 300 # 5 minutes

  # The remember me duration.
  # Value of 0 disables remember me.
  # Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/session.html#duration-notation
  # Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy
  # or attack. Currently the default is 1M or 1 month.
  remember_me_duration:  1M

  # The domain to protect.
  # Note: the login portal must also be a subdomain of that domain.
  domain: example.com

  # The redis connection details (optional)
  # If not provided, sessions will be stored in memory
  redis:
    host: 127.0.0.1
    port: 6379
    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD
    password: authelia
```

### Security

Configuration of this section has an impact on security. You should read notes in
[security measures](../security/measures.md#session-security) for more information.

# Duration Notation

We have implemented a string based notation for configuration options that take a duration. This section describes its
usage.

**NOTE:** At the time of this writing, only remember_me_duration uses this value type. But we plan to change expiration
and inactivity.
 
The notation is comprised of a number which must be positive and not have leading zeros, followed by a letter
denoting the unit of time measurement. The table below describes the units of time and the associated letter.

|Unit   |Associated Letter|
|:-----:|:---------------:|
|Years  |y                |
|Months |M                |
|Weeks  |w                |
|Days   |d                |
|Hours  |h                |
|Minutes|m                |
|Seconds|s                |

Examples:
* 1 hour and 30 minutes: 90m
* 1 day: 1d
* 10 hours: 10h
[DOCS] Bootstrap new documentation website based on just-the-docs (#659) 2020-02-29 00:43:59 +00:00			`---`
			`layout: default`
			`title: Session`
			`parent: Configuration`
			`nav_order: 9`
			`---`

			`# Session`

			`Authelia relies on session cookies to authenticate users. When the user visits`
			a website of the protected domain `example.com` for the first time, Authelia detects
			`that there is no cookie for that user. Consequently, Authelia redirects the user`
			`to the login portal through which the user should authenticate to get a cookie which`
			is valid for `*.example.com`, meaning all websites of the domain.
			`At the next request, Authelia receives the cookie associated to the authenticated user`
			`and can then order the reverse proxy to let the request pass through to the application.`

			`## Configuration`

			```yaml
			`session:`
			`# The name of the session cookie. (default: authelia_session).`
			`name: authelia_session`

			`# The secret to encrypt the session cookie.`
			`# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET`
			`secret: unsecure_session_secret`

			`# The time in seconds before the cookie expires and session is reset.`
			`expiration: 3600 # 1 hour`

			`# The inactivity time in seconds before the session is reset.`
			`inactivity: 300 # 5 minutes`

[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording 2020-04-03 23:11:33 +00:00			`# The remember me duration.`
			`# Value of 0 disables remember me.`
			`# Value is in seconds, or duration notation. See: https://docs.authelia.com/configuration/session.html#duration-notation`
			`# Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to spy`
			`# or attack. Currently the default is 1M or 1 month.`
			`remember_me_duration: 1M`

[DOCS] Bootstrap new documentation website based on just-the-docs (#659) 2020-02-29 00:43:59 +00:00			`# The domain to protect.`
			`# Note: the login portal must also be a subdomain of that domain.`
			`domain: example.com`

			`# The redis connection details (optional)`
			`# If not provided, sessions will be stored in memory`
			`redis:`
			`host: 127.0.0.1`
			`port: 6379`
			`# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD`
			`password: authelia`
[FEATURE] Remember Me Configuration (#813) * [FEATURE] Remember Me Configuration * allow users to specify the duration of remember me using remember_me_duration in session config * setting the duration to 0 disables remember me * only render the remember me element if remember me is enabled * prevent malicious users from faking remember me functionality in the backend * add string to duration helper called ParseDurationString to parse a string into a duration * added tests to the helper function * use the SessionProvider to store the time.Duration instead of parsing it over and over again * add sec doc, adjust month/min, consistency * renamed internal/utils/constants.go to internal/utils/const.go to be consistent * added security measure docs * adjusted default remember me duration to be 1 month instead of 1 year * utilize default remember me duration in the autheliaCtx mock * adjust order of keys in session configuration examples * add notes on session security measures secret only being redis * add TODO items for duration notation for both Expiration and Inactivity (will be removed soon) * fix error text for Inactivity in the validator * add session validator tests * deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY) * remove unnecessary regex for the simplified ParseDurationString utility * ParseDurationString only accepts decimals without leading zeros now * comprehensively test all unit types * remove unnecessary type unions in web * add test to check sanity of time duration consts, this is just so they can't be accidentally changed * simplify deref check and assignment * fix reset password padding/margins * adjust some doc wording * adjust the handler configuration suite test * actually run the handler configuration suite test (whoops) * reduce the number of regex's used by ParseDurationString to 1, thanks to Clement * adjust some error wording 2020-04-03 23:11:33 +00:00			```

			`### Security`

			`Configuration of this section has an impact on security. You should read notes in`
			`[security measures](../security/measures.md#session-security) for more information.`

			`# Duration Notation`

			`We have implemented a string based notation for configuration options that take a duration. This section describes its`
			`usage.`

			`NOTE: At the time of this writing, only remember_me_duration uses this value type. But we plan to change expiration`
			`and inactivity.`

			`The notation is comprised of a number which must be positive and not have leading zeros, followed by a letter`
			`denoting the unit of time measurement. The table below describes the units of time and the associated letter.`

			`\|Unit \|Associated Letter\|`
			`\|:-----:\|:---------------:\|`
			`\|Years \|y \|`
			`\|Months \|M \|`
			`\|Weeks \|w \|`
			`\|Days \|d \|`
			`\|Hours \|h \|`
			`\|Minutes\|m \|`
			`\|Seconds\|s \|`

			`Examples:`
			`* 1 hour and 30 minutes: 90m`
			`* 1 day: 1d`
			`* 10 hours: 10h`