From 9ff6de3759161406de3f384f58790412406dc5a7 Mon Sep 17 00:00:00 2001
From: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date: Wed, 18 Dec 2024 14:01:33 +0100
Subject: [PATCH] root: allow configuring session cookie age

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 authentik/lib/default.yml                                   | 2 ++
 authentik/root/settings.py                                  | 2 ++
 website/docs/install-config/configuration/configuration.mdx | 6 ++++++
 3 files changed, 10 insertions(+)

diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml
index 9a8289a0dfc0..bf87dbf4c238 100644
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@@ -64,6 +64,8 @@ remote_debug: false
 log_level: info
 
 session_storage: cache
+sessions:
+  cookie_age: days=14
 
 error_reporting:
   enabled: false
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index 8a8438b19b46..2d5618fdfab5 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -16,6 +16,7 @@
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 
 BASE_DIR = Path(__file__).absolute().parent.parent.parent
@@ -239,6 +240,7 @@
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_AGE = timedelta_from_string(CONFIG.get("sessions.cookie_age", "days=14"))
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 
 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"
diff --git a/website/docs/install-config/configuration/configuration.mdx b/website/docs/install-config/configuration/configuration.mdx
index eb7c0e62b5ce..bc2ee63e93c0 100644
--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@@ -327,6 +327,12 @@ Defaults to `86400`.
 
 Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
+### `AUTHENTIK_SESSIONS__COOKIE_AGE` <span class="badge badge--version">authentik 2024.12+</span>
+
+Configure how long the session cookie is valid. Does not impact how long sessions are valid for. See [../../add-secure-apps/flows-stages/stages/user_login/index.md](the User login stage) for session validity.
+
+Defaults to `days=14`.
+
 ### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
 
 Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).