Skip to main content

Session lifespan

Each session is valid for a set amount of time. This time is the session's lifespan. When the session lifespan expires, the user must re-authenticate.

In the configuration, session lifespan is expressed in hours, minutes, and seconds. Use a combination of these units to define the desired lifespan. For example: 72h, 10m, 12s, 1h13m3s.

To change the session lifespan, go to Ory ConsoleSession Settings, enter the desired lifespan and click the Save button.

For example, to set the session lifespan to 30 days, enter 720h.

By default, the session cookie max-age is the same as the set session lifespan. To disable this behavior and allow to define a different cookie max-age, set the session/cookie/persistent value to false:

  1. Download the Ory Identities config from your project and save it to a file:

    ## List all available workspaces
    ory list workspaces

    ## List all available projects
    ory list projects --workspace <workspace-id>

    ## Get config
    ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml
  2. Update the configuration value for session lifespan property to the desired value (Use hour (h), minute (m), second (s) to define interval, for example: 1h1m10s, 10s, 1h)

    config.yml
    session:
    cookie:
    domain: $PROJECT_SLUG.projects.oryapis.com
    name: ory_session_{name}
    path: /
    persistent: false
    same_site: Lax
    lifespan: 720h0m0s
  3. Update the Ory Identities configuration using the file you worked with:

    ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
note

If max-age is set as a part of the Set-Cookie header, the browser deletes the cookie when it reaches the age defined in max-age.

When max-age is not set, the browser deletes the cookie when the session ends. The session ends when the set session lifespan expires, or when the browser is shut down by the user.

Privileged sessions

To perform some profile changes, such as updating the email address, password, or adding/removing 2FA, the user must have a privileged session.

tip

This flow is similar to GitHub's sudo mode.

The session is considered privileged when its authenticated_at is younger than the privileged_session_max_age value defined in the configuration.

Configuration

To change the privileged session duration, go to AuthenticationSessions in the Ory Console, enter the desired value in the Privileged Session Age field and click the Save button.

For example, to set the privileged session duration to 15 minutes, enter 15m.

With this configuration in place, the user can perform the actions that require a privileged session up to 15 minutes after signing in. When this time passes, the user must re-authenticate to access these options.