captcha_expire
The `captcha_expire` directive sets the duration in seconds before a captcha code expires.
Description
The captcha_expire directive in the NGINX Captcha Module specifies the lifetime of a generated captcha cookie in seconds. This is crucial for ensuring that the captcha remains valid only within a set timeframe, thus enhancing security by preventing reuse of stale captchas. When the expiration time elapses, the captcha is no longer valid, and subsequent attempts to validate it will fail unless a new captcha is generated and presented to the user.
By default, the expiration time is set to 3600 seconds (1 hour), but it can be customized according to application needs. This directive can be defined in the http, server, or location context, giving flexibility in how the captcha functionality is deployed across different parts of an NGINX configuration. The effectiveness of the captcha_expire directive hinges on implementing robust checks that ensure captchas are generated anew when needed, especially after expiration has occurred. Additionally, if not set explicitly, applications will revert to the default expiration time.
Config Example
location /captcha {
captcha;
captcha_expire 300; # Sets captcha to expire in 5 minutes
}If not specified, the default value (3600 seconds) will apply, which may not be suitable for all applications.
Ensure that the application logic checks the captcha expiration before performing actions based on its validity.
Increasing the expiration time too much may allow replay attacks with old captchas.