auth_totp_cookie
The `auth_totp_cookie` directive configures the name of the HTTP cookie used to maintain authentication state for clients using TOTP.
Description
The auth_totp_cookie directive is pivotal for the Time-based One-Time Password (TOTP) authentication module in NGINX, as it specifies the name of the cookie that will track authenticated users. Once a user successfully logs in using TOTP, this cookie is set, allowing the server to recognize the client across subsequent requests without requiring a new TOTP verification each time. This is particularly useful because TOTP values have a limited lifetime, enhancing both convenience and security.
The defined cookie name can be anything that the system administrator chooses, with a default value of 'totp'. This flexibility enables tailoring according to specific application needs or cookie management policies of an organization. When a user is authenticated, the TOTP system sets this cookie, determined by the specifications provided in auth_totp_cookie, effectively extending the authenticated session beyond the validity period of the TOTP itself. The duration of this cookie can be controlled with the auth_totp_expiry directive, which sets how long the cookie will persist before it expires automatically, ultimately facilitating seamless user experiences in web applications.
Config Example
server {
listen 80;
location /protected {
auth_totp_realm "Protected";
auth_totp_file /etc/nginx/totp.conf;
auth_totp_length 8;
auth_totp_reuse off;
auth_totp_skew 1;
auth_totp_step 1m;
auth_totp_cookie "totp-session";
auth_totp_expiry 1d;
}
}Ensure the cookie name does not conflict with other cookies set by the application or framework being used.
Be cautious when setting expiry times; overly long expiry can undermine security related to expiration policies for sensitive applications.