website/docs: configuration: remove deprecated key for session storage location (#14431)

* website/docs: configuration: remove deprecated key for session storage location

Signed-off-by: Dominic R <dominic@sdko.org>

* Update default.yml

Signed-off-by: Dominic R <dominic@sdko.org>

* cve fix

Signed-off-by: Dominic R <dominic@sdko.org>

* Update CVE-2025-29928.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dominic R <dominic@sdko.org>

* add

* Update website/docs/security/cves/CVE-2025-29928.md

Signed-off-by: Dominic R <dominic@sdko.org>

* Update website/docs/security/cves/CVE-2025-29928.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/install-config/configuration/configuration.mdx

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/install-config/configuration/configuration.mdx

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/security/cves/CVE-2025-29928.md

Signed-off-by: Dominic R <dominic@sdko.org>

* Update website/docs/security/cves/CVE-2025-29928.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/security/cves/CVE-2025-29928.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* Update website/docs/security/cves/CVE-2025-29928.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

* bump build

---------

Signed-off-by: Dominic R <dominic@sdko.org>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tana@goauthentik.io>

authentik/lib/default.yml

@@ -81,7 +81,6 @@ debugger: false
 
 log_level: info
 
-session_storage: cache
 sessions:
   unauthenticated_age: days=1
 

website/docs/install-config/configuration/configuration.mdx

@@ -357,7 +357,11 @@ Defaults to `86400`.
 
 ### `AUTHENTIK_SESSION_STORAGE`:ak-version[2024.4]
 
-Configure if the sessions are stored in the cache or the database. Defaults to `db`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
+:::info Deprecated
+This setting is removed as of version 2025.4. Sessions are now exclusively stored in the database. See our [2025.4 release notes](../../releases/2025.4#sessions-are-now-stored-in-the-database) for more information.
+:::
+
+If you are running a version earlier than 2025.4, you can configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
 ### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`:ak-version[2025.4]
 

website/docs/security/cves/CVE-2025-29928.md

@@ -2,13 +2,17 @@
 
 ## Deletion of sessions did not revoke sessions when using database session storage
 
+### ADDENDUM May 30, 2025
+
+As of version 2025.4, the option to store sessions in cache has been removed; sessions are now exclusively stored in the database. See our [2025.4 release notes](../../releases/2025.4#sessions-are-now-stored-in-the-database) for more information.
+
 ### Summary
 
 When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik.
 
 This also affects automatic session deletion when a user is set to inactive or a user is deleted.
 
-The session backend is configured via [this](../../install-config/configuration/configuration.mdx#authentik_session_storage) setting; if this settings isn't set the sessions are stored in the cache (Redis), which is not affected by this.
+The session backend was configured via the `AUTHENTIK_SESSION_STORAGE` setting, which was removed in version 2025.4.
 
 ### Patches