root: allow configuring session cookie age

authentik/lib/default.yml

@@ -64,6 +64,8 @@ remote_debug: false
 log_level: info
 
 session_storage: cache
+sessions:
+  cookie_age: days=14
 
 error_reporting:
   enabled: false

authentik/root/settings.py

@@ -16,6 +16,7 @@
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 
 BASE_DIR = Path(__file__).absolute().parent.parent.parent
@@ -239,6 +240,7 @@
 # Configured via custom SessionMiddleware
 # SESSION_COOKIE_SAMESITE = "None"
 # SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_AGE = timedelta_from_string(CONFIG.get("sessions.cookie_age", "days=14"))
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 
 MESSAGE_STORAGE = "authentik.root.messages.storage.ChannelsStorage"

website/docs/install-config/configuration/configuration.mdx

@@ -327,6 +327,12 @@ Defaults to `86400`.
 
 Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
+### `AUTHENTIK_SESSIONS__COOKIE_AGE` <span class="badge badge--version">authentik 2024.12+</span>
+
+Configure how long the session cookie is valid. Does not impact how long sessions are valid for. See [../../add-secure-apps/flows-stages/stages/user_login/index.md](the User login stage) for session validity.
+
+Defaults to `days=14`.
+
 ### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
 
 Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).