encrypted_session_expires
Sets the expiration time for encrypted sessions in NGINX.
Description
The encrypted_session_expires directive specifies the time, in seconds, that a session remains valid after creation. This is crucial for implementing security measures in an application where user sessions need to be monitored and controlled effectively to prevent unauthorized access or session hijacking. When a session is created via other directives, the expiration time set by this directive defines the maximum duration for which the session data is accessible without requiring re-authentication or re-encryption.
The directive can be placed in various contexts including http, server, location, and if conditions within these contexts. By allowing configuration across different scopes, it provides flexibility in handling session expiration based on the needs of specific server blocks or location contexts. For instance, different endpoints may require more or less security based on their sensitivity, and administrators can fine-tune the session lifespan accordingly.
The expected value for this directive is a single numerical argument indicating the duration in seconds. If not specified, it defaults to one day (86400 seconds). Adjusting the expiration time can be essential for optimizing user experience while maintaining robust security practices such as automatic logout or session renewal mechanisms.
Config Example
http {
encrypted_session_expires 3600; # sessions expire after 1 hour
}
server {
location /secure {
encrypted_session_expires 1200; # sessions expire after 20 minutes
}
}Setting an expiration time that is too short may disrupt user experience by requiring frequent logins.
If the expiration time is longer than expected, it may pose security risks by allowing old sessions to persist.
Ensure that the expiration time is consistent with application logic that manages user sessions.