- Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected.
See Session Management (Enterprise) for a more fine-grained session controls.
Defaults to 14 hours.
+ Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. Pomerium imposes its own session TTL (14 hours by default) to clean up abandoned sessions; without a timeout the server would continue refreshing tokens even if a user closed their browser.See Session Management (Enterprise) for more fine-grained session controls.
Defaults to 14 hours.
Format: a duration string like "22s" as parsed by Golang time.ParseDuration. diff --git a/content/docs/reference/cookies.mdx b/content/docs/reference/cookies.mdx index 19e1f3af2..13d7abfce 100644 --- a/content/docs/reference/cookies.mdx +++ b/content/docs/reference/cookies.mdx @@ -233,6 +233,8 @@ cookie: **Cookie Expiration** sets the lifetime of session cookies. After this interval, users must reauthenticate. +Pomerium sets its own session timeout (14 hours by default) because it has no way to know if a user simply closed their browser or cleared their cookies. Without an expiration, the server would keep refreshing identity provider tokens for abandoned sessions indefinitely. The timeout acts as a garbage-collection mechanism so that unused session state is eventually cleaned up. + ### How to configure {#cookie-expiration-how-to-configure}