diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index e112f8a1d0..e2d8b61660 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -64,6 +64,8 @@ debugger: false log_level: info session_storage: cache +sessions: + unauthenticated_age: days=1 error_reporting: enabled: false diff --git a/authentik/root/settings.py b/authentik/root/settings.py index a9568c64ba..24f56e7b39 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -16,6 +16,7 @@ from authentik.lib.config import CONFIG, django_db_config, redis_url from authentik.lib.logging import get_logger_config, structlog_configure from authentik.lib.sentry import sentry_init from authentik.lib.utils.reflection import get_env +from authentik.lib.utils.time import timedelta_from_string from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP BASE_DIR = Path(__file__).absolute().parent.parent.parent @@ -242,6 +243,9 @@ SESSION_CACHE_ALIAS = "default" # Configured via custom SessionMiddleware # SESSION_COOKIE_SAMESITE = "None" # SESSION_COOKIE_SECURE = True +SESSION_COOKIE_AGE = timedelta_from_string( + CONFIG.get("sessions.unauthenticated_age", "days=1") +).total_seconds() SESSION_EXPIRE_AT_BROWSER_CLOSE = True MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage" diff --git a/website/docs/install-config/configuration/configuration.mdx b/website/docs/install-config/configuration/configuration.mdx index dd8139672d..3dce57af52 100644 --- a/website/docs/install-config/configuration/configuration.mdx +++ b/website/docs/install-config/configuration/configuration.mdx @@ -355,6 +355,12 @@ Defaults to `86400`. Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions. +### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`:ak-version[2025.4] + +Configure how long unauthenticated sessions last for. Does not impact how long authenticated sessions are valid for. See [../../add-secure-apps/flows-stages/stages/user_login/index.md](the User login stage) for session validity. + +Defaults to `days=1`. + ### `AUTHENTIK_WEB__WORKERS` Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).