Session lifespan

Each session is valid for a set amount of time. This time is the session's lifespan. When the session lifespan expires, the user must re-authenticate.

In the configuration, the session lifespan is expressed in hours.

Run this command to adjust the session lifespan to 720 hours (30 days):

Ory CLI
Self-Hosted Ory Kratos config

ory patch identity-config <your-project-id> \\
  --replace '/session/lifespan="720h"' # 30 days

path/to/kratos/config.yml
session:
  cookie:
    domain: fancy-moofasa-nsuq4mdx5a.projects.oryapis.com
    name: ory_session_fancymoofasansuq4mdx5a
    path: /
    persistent: false
    same_site: Lax
  lifespan: 72h0m0s

By default, the session cookie max-age is the same as the set session lifespan. To disable this behavior and allow to define a different cookie max-age, set the session/cookie/persistent value to false:

Ory CLI
Self-Hosted Ory Kratos Config

ory patch identity-config <your-project-id> \\
  --replace '/session/cookie/persistent=false'

path/to/kratos/config.yml
session:
  cookie:
    domain: fancy-moofasa-nsuq4mdx5a.projects.oryapis.com
    name: ory_session_fancymoofasansuq4mdx5a
    path: /
    persistent: false
    same_site: Lax

If max-age is set as a part of the Set-Cookie header, the browser deletes the cookie when it reaches the age defined in max-age.

When max-age is not set, the browser deletes the cookie when the session ends. The session ends when the set session lifespan expires, or when the browser is shut down by the user.

Session lifespan

Session cookie 'max-age'​

Session cookie 'max-age'