You are reading the documentation for an outdated Corteza release. 2023.9 is the latest stable Corteza release.

Defining Session Duration

Corteza allows you to define how long the access tokens are to be considered valid.

Table 1. The three .env variables to control the authentication session:

AUTH_OAUTH2_ACCESS_TOKEN_LIFETIME

The AUTH_OAUTH2_ACCESS_TOKEN_LIFETIME .env variable allows you to define how long an access token is valid for.

The access token represents the credentials that allow users to access protected resources such as records, users, and workflows.

An example of limiting the access token to two minutes:
AUTH_OAUTH2_ACCESS_TOKEN_LIFETIME=2m

AUTH_OAUTH2_REFRESH_TOKEN_LIFETIME

The AUTH_OAUTH2_REFRESH_TOKEN_LIFETIME .env variable allows you to define how long a refresh token should be valid.

The refresh token provides a mechanism which generates a new access token when the old one expires, removing the need to re-authenticate the user.

An example of limiting the refresh token to two minutes:
AUTH_OAUTH2_REFRESH_TOKEN_LIFETIME=2m

AUTH_SESSION_LIFETIME

The AUTH_SESSION_LIFETIME .env variable allows you to define how long the authentication session should be valid.

The authentication session is generated when the user provides their credentials to the Corteza login page. The authentication session is independent of access tokens.

Annotated image
An example of limiting the auth session to two minutes:
AUTH_SESSION_LIFETIME=2m

AUTH_SESSION_PERM_LIFETIME

The AUTH_SESSION_PERM_LIFETIME .env variable allows you to define how long the authentication session should be valid when the login and remember me is used.

The authentication session is generated when the user provides their credentials to the Corteza login page. The authentication session is independent of access tokens.

Annotated image
An example of limiting the auth session to two minutes:
AUTH_SESSION_PERM_LIFETIME=2m

Log Out Inactive Users After Two Minutes

If you wish to log out inactive users, you need to set all three of the .env variables mentioned above.

AUTH_OAUTH2_ACCESS_TOKEN_LIFETIME=2m
AUTH_SESSION_LIFETIME=2m
AUTH_OAUTH2_REFRESH_TOKEN_LIFETIME=2m

When the user is considered inactive is determined by the user’s browser. Usually this is when they close the tab/window or when their computer enters rest mode.