Session

Authelia relies on session cookies to authorize user access to various protected websites. This section configures the session cookie behavior and the domains which Authelia can service authorization requests for.

Variables

Some of the values within this page can automatically be replaced with documentation variables.

Configuration

Example Configuration

This section is intended as an example configuration to help users with a rough contextual layout of this configuration section, it is not intended to explain the options. The configuration shown may not be a valid configuration, and you should see the options section below and the navigation links to properly understand each option individually.

configuration.yml
session:
  secret: 'insecure_session_secret'
  name: 'authelia_session'
  same_site: 'lax'
  inactivity: '5m'
  expiration: '1h'
  remember_me: '1M'
  cookies:
    - domain: 'example.com'
      authelia_url: 'https://auth.example.com'
      default_redirection_url: 'https://www.example.com'
      name: 'authelia_session'
      same_site: 'lax'
      inactivity: '5m'
      expiration: '1h'
      remember_me: '1d'

Providers

There are currently two providers for session storage (three if you count Redis Sentinel as a separate provider):

  • Memory (default, stateful, no additional configuration)
  • Redis (stateless).
  • Redis Sentinel (stateless, highly available).

Kubernetes or High Availability

It’s important to note when picking a provider, the stateful providers are not recommended in High Availability scenarios like Kubernetes. Each provider has a note beside it indicating it is stateful or stateless the stateless providers are recommended.

Options

This section describes the individual configuration options.

secret

string required

Important Note

This can also be defined using a secret which is strongly recommended especially for containerized deployments.

The secret key used to encrypt session data in Redis.

It’s strongly recommended this is a Random Alphanumeric String with 64 or more characters.

name

string authelia_session not required

The default name value for all cookies configurations.

same_site

string lax not required

The default same_site value for all cookies configurations.

inactivity

string integer duration 5 minutes not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The default inactivity value for all cookies configurations.

expiration

string integer duration 1 hour not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The default expiration value for all cookies configurations.

remember_me

string integer duration 1 month not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

The default remember_me value for all cookies configurations.

cookies

The list of specific cookie domains that Authelia is configured to handle. Domains not properly configured will automatically be denied by Authelia. The list allows administrators to define multiple session cookie domain configurations with individual settings.

domain

string required

Important Note

Browsers have rules regarding which cookie domains a website can write. In particular the [Public Suffix List] usually contains domains which are not permitted.

The domain the session cookie is assigned to protect. This must be the same as the domain Authelia is served on or the root of the domain, and consequently if the authelia_url is configured must be able to read and write cookies for this domain.

For example if Authelia is accessible via the URL https://auth.example.com the domain should be either auth.example.com or example.com.

The value must not match a domain on the Public Suffix List as browsers do not allow websites to write cookies for these domains. This includes most Dynamic DNS services such as duckdns.org. You should use your domain instead of duckdns.org for this value, for example example.duckdns.org.

Consequently, if you have example.duckdns.org and example-auth.duckdns.org you cannot share cookies between these domains.

authelia_url

string required

This is a required URL which is the root URL of your Authelia installation for this cookie domain which can be used to generate the appropriate redirection URL when authentication is required. This URL must:

  1. Be able to read and write cookies for the configured domain.
  2. Use the https:// scheme.
  3. Include the path if relevant (i.e. https://example.com/authelia rather than https://example.com if you’re using the server address option of authelia to specify a subpath and if the Authelia portal is inaccessible from https://example.com).

The appropriate query parameter or header for your relevant proxy can override this behavior.

default_redirection_url

string not required

This is a completely optional URL which is used as the redirection location when visiting Authelia directly. This option deprecates the global default_redirection_url option. This URL must:

  1. Be able to read and write cookies for the configured domain.
  2. Use the https:// scheme.
  3. Not be the same as the authelia_url

If this option is absent you must use the appropriate query parameter or header for your relevant proxy.

name

string not required

Default Value: This option takes its default value from the name setting above.

The name of the session cookie. By default this is set to the name value in the main session configuration section.

same_site

string not required

Default Value: This option takes its default value from the same_site setting above.

Sets the cookies SameSite value. Prior to offering the configuration choice this defaulted to None. The new default is Lax. This option is defined in lower-case. So for example if you want to set it to Strict, the value in configuration needs to be strict.

You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally the most desirable option for Authelia. None is not recommended unless you absolutely know what you’re doing and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in this state but it’s available as an option anyway.

inactivity

string integer duration not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

Default Value: This option takes its default value from the inactivity setting above.

The period of time the user can be inactive for until the session is destroyed. Useful if you want long session timers but don’t want unused devices to be vulnerable.

expiration

string integer duration not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

Default Value: This option takes its default value from the expiration setting above.

The period of time before the cookie expires and the session is destroyed. This is overridden by remember_me when the remember me box is checked.

remember_me

string integer duration not required

Reference Note

This configuration option uses a common syntax. For more information please see both the configuration example and the Common Syntax: Duration reference guide.

Default Value: This option takes its default value from the remember_me setting above.

The period of time before the cookie expires and the session is destroyed when the remember me box is checked. Setting this to -1 disables this feature entirely for this session cookie domain.

Security

Configuration of this section has an impact on security. You should read notes in security measures for more information.