auth_digest_drop_time
The `auth_digest_drop_time` directive sets the time period in seconds during which old authentication data is discarded in the NGINX digest authentication module.
Description
The auth_digest_drop_time directive is a configurable parameter in the NGINX digest authentication module that specifies the duration (in seconds) for retaining old authentication tokens after a user logs out or when their authentication session is invalidated. When this duration elapses, the module will drop the stale tokens, thus preventing unauthorized use in subsequent requests. This is particularly useful for enhancing security by ensuring that old credentials do not linger and can’t be reused maliciously after they should have been invalidated.
This directive can be applied in different contexts including http, server, and location, making it versatile for various scopes of configuration. It accepts a single numeric argument that designates the number of seconds to retain old authentication data. Setting a higher value increases the time span during which potentially compromised tokens might still be valid, while a lower value urges faster cleanup of those tokens, enhancing security in scenarios where the potential for misuse is a concern.
By default, if not explicitly set, this directive takes on a value of 300 seconds (or 5 minutes), meaning that without a specific configuration, old tokens will be kept for a moderate length of time. Administrators should choose a value that reflects their security policy and user experience needs, balancing between quick invalidation of tokens and usability needs during an active session.
Config Example
server {
listen 80;
location / {
auth_digest "Restricted Area";
auth_digest_user_file /etc/nginx/digest.users;
auth_digest_drop_time 600;
}
}If set too low, it may inconvenience users who may have legitimate in-flight sessions interrupted.
Setting it too high may expose the system to security risks due to lingering old tokens.