auth_totp_expiry
Sets the expiration time for the authentication cookie used in TOTP-based authentication in NGINX.
Description
The auth_totp_expiry directive is crucial for managing the session lifecycle of clients authenticated via Time-based One-Time Passwords (TOTP) in NGINX. It specifies the duration for which the authentication cookie will remain valid after a successful authentication. If the expiry value is not explicitly configured (defaulting to 0s), the cookie will act as a session cookie, meaning it will be deleted when the browser session ends.
This directive can be set in various contexts, including http, server, location, and limit_except, allowing for flexible scope based on server needs. For example, setting a longer expiry (like 1d for one day) will enable users to remain authenticated without needing to re-enter their TOTP code for the entire duration, enhancing user experience while still maintaining a layer of security if the session must be short-lived. Conversely, a shorter expiry time may be used in high-security scenarios where frequent re-authentication is desired.
The behaviour of this directive directly impacts session management and user experience. It's important to choose an appropriate expiration period, balancing convenience with security requirements. Furthermore, the expiry time should align with any configured time step for TOTP generation to ensure seamless user experience.
Config Example
location /protected {
auth_totp_realm "Protected";
auth_totp_file /etc/nginx/totp.conf;
auth_totp_length 8;
auth_totp_reuse off;
auth_totp_skew 1;
auth_totp_step 1m;
auth_totp_cookie "totp-session";
auth_totp_expiry 1d;
}Ensure that the expiry period adequately aligns with user needs for session length.
Setting the expiry too short may frustrate users needing to repeatedly authenticate.