The Advanced panel of OAG application settings allows configuration of the Idle Session Duration and Max Session Duration. These parameters are defined as:
- Idle Session Duration: Destroys application session if a user is idle for this duration.
- Max Session Duration: Maximum application session duration.
In certain use cases, it may be desired to control these parameters via Advanced Policy, for example, to conditionally apply different session durations in various scenarios. This article outlines how this can be accomplished via the NGINX directive.
- Okta Access Gateway (OAG)
- The "Idle Session Duration" parameter correlates to the NGINX variable "$sessionDuration"
- The "Max Session Duration" parameter correlates to the NGINX variable "$sessionmDuration"
As such, if, for example, is desirable to set a policy that would enforce an idle session of 30 seconds and a maximum session of 2 minutes, this can be done via the following:
set $sessionDuration 30;
set $sessionmDuration 120;
When the policy is triggered, the session durations set in the policy will override the global session durations configured within the Advanced panel of the application settings.
Below is an example of an application with an Idle Session Duration of 3 hours and a Maximum Session Duration of 5 hours.
But have set up a root policy to set the Idle Session Duration to 30 seconds and Maximum Session Duration to 2 minutes.
When the application session is created upon login, we see the cookie expiration date is enforced 30 seconds after the session creation (this cookie expiration increments based on the Idle Session Duration whenever the application is interacted with):
2023-03-15T14:56:22.000-04:00 oag-admin.nbcorp.us oag-admin.nbcorp.us GobgOB5AO: 2023/03/15 14:56:22 [debug] 4855#0: *1694 [lua] session.lua:231: server: header.nbcorp.us Session store uuid:e100e976617e4857a5fec772b5677aff duration:30 maxDuration:120 content:SESSIONID=_dc093bc9d189e99eb2a5f08fcbd1e18be2da2b6745
2023-03-15T14:56:22.000-04:00 oag-admin.nbcorp.us oag-admin.nbcorp.us GobgOB5AO: 2023/03/15 14:56:22 [debug] 4855#0: *1694 [lua] authSession.lua:1336: server: header.nbcorp.us Cookie: {AuthCookie=_24215941d70fee58bb30067ae7d38f6370b0e29315; path=/; Expires=Wed, 15-Mar-23 17:56:22 GMT;secure;HttpOnly;SameSite=None,SessionCookieHFL16428SINFE71QMY4V=e100e976617e4857a5fec772b5677aff; path=/; Expires=Wed, 15-Mar-23 18:56:52 GMT;secure;HttpOnly;SameSite=None}
2023-03-15T14:56:33.000-04:00 oag-admin.nbcorp.us oag-admin.nbcorp.us GobgOB5AO: 2023/03/15 14:56:33 [debug] 4855#0: *1694 [lua] session.lua:58: setTimestamps(): server: header.nbcorp.us existingSESSION:SESSIONID=_dc093bc9d189e99eb2a5f08fcbd1e18be2da2b6745
2023-03-15T14:56:33.000-04:00 oag-admin.nbcorp.us oag-admin.nbcorp.us GobgOB5AO: 2023/03/15 14:56:33 [debug] 4855#0: *1694 [lua] session.lua:231: server: header.nbcorp.us Session store uuid:e100e976617e4857a5fec772b5677aff duration:30 maxDuration:120 content:SESSIONID=_dc093bc9d189e99eb2a5f08fcbd1e18be2da2b6745
2023-03-15T14:56:33.000-04:00 oag-admin.nbcorp.us oag-admin.nbcorp.us GobgOB5AO: 2023/03/15 14:56:33 [debug] 4855#0: *1694 [lua] authSession.lua:1336: server: header.nbcorp.us Cookie: {SessionCookieHFL16428SINFE71QMY4V=e100e976617e4857a5fec772b5677aff; path=/; Expires=Wed, 15-Mar-23 18:57:03 GMT;secure;HttpOnly;SameSite=None}
In this example, the user was continuing to interact with the application, so the Idle Session Duration was never enforced, but eventually, when trying to interact with the application 2 minutes after the session was created, we see the Max session timeout encountered.
