Skip to main content

Session lifespan

Each session is valid for a set amount of time. This time is the session's lifespan. When the session lifespan expires, the user must re-authenticate.

In the configuration, the session lifespan is expressed in hours.

Run this command to adjust the session lifespan to 720 hours (30 days):

ory patch identity-config <your-project-id> \\
--replace '/session/lifespan="720h"' # 30 days

By default, the session cookie max-age is the same as the set session lifespan. To disable this behavior and allow to define a different cookie max-age, set the session/cookie/persistent value to false:

ory patch identity-config <your-project-id> \\
--replace '/session/cookie/persistent=false'

If max-age is set as a part of the Set-Cookie header, the browser deletes the cookie when it reaches the age defined in max-age.

When max-age is not set, the browser deletes the cookie when the session ends. The session ends when the set session lifespan expires, or when the browser is shut down by the user.