-
|
Why does OIDCSessionInactivityTimeout default to 300 seconds, and what is the harm in increasing it by a lot? I have mod_auth_openidc protecting a single page application that only fetches using XHR when it is in the foreground. If I ignore it for longer than the timeout, then come back, its XHR requests all return 401. Is the timeout just to limit the size of the server session cache? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
the timeout is relatively short because it is a common security practice rather than a resource optimization thing: it protects against users "forgetting" about their session i.e. when walking away from their machine and/or forgetting to kill their session(s); feel free to increase it if your environment does not need that best practice |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, that makes sense. I don't see much alternative to make this application work since it does not recover from the 401s. Can I set OIDCSessionInactivityTimeout in a Location block or only in the whole virtual host? |
Beta Was this translation helpful? Give feedback.
the timeout is relatively short because it is a common security practice rather than a resource optimization thing: it protects against users "forgetting" about their session i.e. when walking away from their machine and/or forgetting to kill their session(s); feel free to increase it if your environment does not need that best practice