pomerium · rjbeers · Jul 16, 2025 · Jun 27, 2025 · Jul 16, 2025
@@ -584,7 +584,7 @@ Cookie defines Pomerium session cookie options.
                 </p>
                 <p>
 
-                    Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a> (Enterprise) for a more fine-grained session controls.</p> <p>Defaults to 14 hours.</p>
+                    Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. Pomerium imposes its own session TTL (14 hours by default) to clean up abandoned sessions; without a timeout the server would continue refreshing tokens even if a user closed their browser. <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a> (Enterprise) for more fine-grained session controls.</p> <p>Defaults to 14 hours.</p>
                 </p>
 
                     Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

@@ -233,6 +233,8 @@ cookie:
 
 **Cookie Expiration** sets the lifetime of session cookies. After this interval, users must reauthenticate.
 
+Pomerium sets its own session timeout (14 hours by default) because it has no way to know if a user simply closed their browser or cleared their cookies. Without an expiration, the server would keep refreshing identity provider tokens for abandoned sessions indefinitely. The timeout acts as a garbage-collection mechanism so that unused session state is eventually cleaned up.
+
 ### How to configure {#cookie-expiration-how-to-configure}
 
 <Tabs>

@@ -231,7 +231,9 @@
     "HPKE",
     "lifecycles",
     "llms",
-    "Llms"
+    "Llms",
+    "TTL",
+    "relogin"
   ],
   "ignorePaths": [
     "*.mp4",

@@ -179,8 +179,8 @@ select:focus {
     var(--tw-ring-offset-width) var(--tw-ring-offset-color);
   --tw-ring-shadow: var(--tw-ring-inset) 0 0 0
     calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color);
-  box-shadow: var(--tw-ring-offset-shadow), var(--tw-ring-shadow),
-    var(--tw-shadow);
+  box-shadow:
+    var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);
   border-color: #2563eb;
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -584,7 +584,7 @@ Cookie defines Pomerium session cookie options. @@
                     </p>
                     <p>
-                        Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a> (Enterprise) for a more fine-grained session controls.</p> <p>Defaults to 14 hours.</p>
+                        Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. Pomerium imposes its own session TTL (14 hours by default) to clean up abandoned sessions; without a timeout the server would continue refreshing tokens even if a user closed their browser. <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a> (Enterprise) for more fine-grained session controls.</p> <p>Defaults to 14 hours.</p>
                     </p>
                         Format: a duration string like "22s" as parsed by Golang time.ParseDuration.
@@ Expand Down @@