Session lifespan
Each session is valid for a set amount of time. This time is the session's lifespan. When the session lifespan expires, the user must re-authenticate.
In the configuration, the session lifespan is expressed in hours.
Run this command to adjust the session lifespan to 720 hours (30 days):
- Ory CLI
- Self-Hosted Ory Kratos Config
ory patch identity-config <your-project-id> \\
--replace '/session/lifespan="720h"' # 30 days
session:
cookie:
domain: fancy-moofasa-nsuq4mdx5a.projects.oryapis.com
name: ory_session_fancymoofasansuq4mdx5a
path: /
persistent: false
same_site: Lax
lifespan: 72h0m0s
Session cookie 'max-age'
By default, the session cookie max-age
is the same as the set session lifespan. To disable this behavior and allow to define a
different cookie max-age
, set the session/cookie/persistent
value to false
:
- Ory CLI
- Self-Hosted Ory Kratos Config
ory patch identity-config <your-project-id> \\
--replace '/session/cookie/persistent=false'
session:
cookie:
domain: fancy-moofasa-nsuq4mdx5a.projects.oryapis.com
name: ory_session_fancymoofasansuq4mdx5a
path: /
persistent: false
same_site: Lax
If max-age
is set as a part of the Set-Cookie
header, the browser deletes the cookie when it reaches the age defined in
max-age
.
When max-age
is not set, the browser deletes the cookie when the session ends. The session ends when the set session lifespan
expires, or when the browser is shut down by the user.