Skip to content

Session Management Settings

Hans Zandbelt edited this page Dec 21, 2022 · 1 revision

These settings are only relevant in an OpenID Connect Relying Party setup.

Session Inactivity Timeout

# Interval in seconds after which the session will be invalidated when no interaction has occurred.
# When not defined, the default is 300 seconds.
OIDCSessionInactivityTimeout <seconds>

Session Maximum Duration

# Maximum duration of the application session
# When not defined the default is 8 hours (3600 * 8 seconds).
# When set to 0, the session duration will be set equal to the expiry time of the ID token.
# NB: this can be overridden on a per-OP basis in the .conf file using the key: session_max_duration
OIDCSessionMaxDuration <seconds>

Session Type

# OpenID Connect session storage type.
# "server-cache" server-side caching storage.
# "client-cookie" uses browser-side sessions stored in a cookie; see also OIDCSessionCookieChunkSize next
# A suffix ":persistent" can be added if you want to use a persistent cookie that survives browser restarts
# instead of a session cookie that is tied to the lifetime of the browser session.
# The "expires" value of the persistent cookie is controlled by the OIDCSessionInactivityTimeout setting.
# A suffix ":store_id_token" can be added to "client-cookie" if you want the id_token to be stored
# in the session to be used as id_token_hint in a logout request to the OP later.
# When not defined the default "server-cache" is used.
OIDCSessionType server-cache[:persistent] | client-cookie[:persistent | :store_id_token | :persistent:store_id_token ]

Session Cache Fallback

# Fallback to "OIDCSessionType client-cookie" when "OIDCSessionType server-cache" is set and the primary
# cache mechanism (e.g. memcache or redis) fails. Note that this will come at a cost of:
#   a) performance
#       1) since on each subsequent request the primary cache will still be polled and
#           failback will happen as soon as the primary cache is available again
#       2) information other than sessions cannot be cached, e.g. resolved access tokens or metadata; see: OIDCCacheType
#   b) security, since nonce's and jti's are not cached, see: OIDCCacheType
#   c) (prototype) functionality, since request_uri's won't work anymore
# When not defined the default is "Off".
OIDCSessionCacheFallbackToCookie [On|Off]

You can find all configuration parameters here: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf