Session lifespan
Each session is valid for a set amount of time. This time is the session's lifespan. When the session lifespan expires, the user must re-authenticate.
In the configuration, session lifespan is expressed in hours, minutes, and seconds. Use a combination of these units to define the
desired lifespan. For example: 72h
, 10m
, 12s
, 1h13m3s
.
- Ory Console
- Ory CLI
To change the session lifespan, go to Ory Console → Session Settings, enter the desired lifespan and click the Save button.
For example, to set the session lifespan to 30 days, enter 720h
.
-
Download the Ory Identities config from your project and save it to a file:
## List all available workspaces
ory list workspaces
## List all available projects
ory list projects --workspace <workspace-id>
## Get config
ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml -
Update the configuration value for session lifespan property to the desired value:
config.ymlsession:
cookie:
domain: $PROJECT_SLUG.projects.oryapis.com
name: ory_session_{name}
path: /
persistent: false
same_site: Lax
lifespan: 720h -
Update the Ory Identities configuration using the file you worked with:
ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
Session cookie 'max-age'
By default, the session cookie max-age
is the same as the set session lifespan. To disable this behavior and allow to define a
different cookie max-age
, set the session/cookie/persistent
value to false
:
- Ory CLI
-
Download the Ory Identities config from your project and save it to a file:
## List all available workspaces
ory list workspaces
## List all available projects
ory list projects --workspace <workspace-id>
## Get config
ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml -
Update the configuration value for session lifespan property to the desired value (Use hour (h), minute (m), second (s) to define interval, for example: 1h1m10s, 10s, 1h)
config.ymlsession:
cookie:
domain: $PROJECT_SLUG.projects.oryapis.com
name: ory_session_{name}
path: /
persistent: false
same_site: Lax
lifespan: 720h0m0s -
Update the Ory Identities configuration using the file you worked with:
ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
If max-age
is set as a part of the Set-Cookie
header, the browser deletes the cookie when it reaches the age defined in
max-age
.
When max-age
is not set, the browser deletes the cookie when the session ends. The session ends when the set session lifespan
expires, or when the browser is shut down by the user.
Privileged sessions
To perform some profile changes, such as updating the email address, password, or adding/removing 2FA, the user must have a privileged session.
This flow is similar to GitHub's sudo mode.
The session is considered privileged when its authenticated_at
is younger than the privileged_session_max_age
value defined in
the configuration.
Configuration
- Ory Console
- Ory CLI
To change the privileged session duration, go to Authentication → Sessions in the Ory Console, enter the desired value in the Privileged Session Age field and click the Save button.
For example, to set the privileged session duration to 15 minutes, enter 15m
.
-
Download the Ory Identities config from your project and save it to a file.
## List all available workspaces
ory list workspaces
## List all available projects
ory list projects --workspace <workspace-id>
## Get config
ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml -
Update the configuration value for privileged session max age property (
privileged_session_max_age
) to the desired value. For example, to set the privileged session duration to 15 minutes, enter15m
.config.ymlselfservice:
flows:
settings:
after:
hooks: []
password:
hooks: []
profile:
hooks: []
ui_url: /ui/settings
privileged_session_max_age: 15m
required_aal: highest_available -
Update the Ory Identities configuration using the file you worked with.
ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml
With this configuration in place, the user can perform the actions that require a privileged session up to 15 minutes after signing in. When this time passes, the user must re-authenticate to access these options.