Sessions

required

Under the sessions option configuration related to session management can be changed.

`ttl`¶

integer 3600 optional

The ttl option defines the "time-to-life", i.e. the session lifetime.

config.yaml

sessions:
    ttl: 86400

`redis_addr`¶

string optional

The redis_addr option is used to pass a network address where a redis server can be reached. If set, the redis instance is used for caching. If not given, an in-memory cache is used.

config.yaml

sessions:
    redis_addr: redis:6379

`redis_username`¶

string optional

Sets the Redis ACL username used to authenticate to the server. Leave empty when Redis is configured without ACL users.

config.yaml

sessions:
  redis_addr: "redis:6379"
  redis_username: "app-user"

`redis_password`¶

string optional

Sets the password for Redis authentication. Used with or without username depending on your Redis setup.

config.yaml

sessions:
  redis_addr: "redis:6379"
  redis_password: "s3cr3t-pass"

`redis_db`¶

integer 0 optional

Selects the Redis logical database index to use. Defaults to 0 if not set. Common deployments use 0; choose another index when sharing a Redis instance with other applications.

config.yaml

sessions:
  redis_addr: "redis:6379"
  redis_db: 1

`memcached_addr`¶

string required if apache is used

The memcached_addr option is used to pass a network address where a memcached server can be reached. If set, the user claims are stored in the memcached with the format needed by the apache module AuthMemCookie.

Session information is still / also stored in redis or in-memory.

config.yaml

sessions:
    memcached_addr: memcached:11211

`memcached_claims`¶

mapping / object see file example optional

The memcached_claims option is used to specify which information should be stored in the memcached and from which OIDC claims the information should be obtained.

Note

The following keys are required by AuthMemCookie:

UserName
Groups

Info

OIDC Claims can be given as a single string or a list of strings. If a list is given OFFA will use the value from the first non-empty claim.

Example

In the config below UserName will be populated with the value in preferred_username if that is set, or sub otherwise.

The default mapping is as listed in the following config.yaml example.

config.yaml

sessions:
    memcached_claims:
        UserName:
            - preferred_username
            - sub
        Groups: groups
        Email: email
        Name: name
        GivenName: given_name
        Provider: iss
        Subject: sub

`cookie_name`¶

string offa-session optional

The cookie_name option is used to set the name of the cookie that holds the session token.

config.yaml

sessions:
    cookie_name: offa

`cookie_domain`¶

string required

The cookie_domain option is used to set the domain the session cookie is assigned to protect. This must be the same as the domain OFFA is served on or a parent domain.

Example

If OFFA is accessible via the URI https://offa.example.com the domain should be either offa.example.com or example.com.

config.yaml

sessions:
    cookie_domain: example.com

Sessions

ttl¶

redis_addr¶

redis_username¶

redis_password¶

redis_db¶

memcached_addr¶

memcached_claims¶

cookie_name¶

cookie_domain¶

`ttl`¶

`redis_addr`¶

`redis_username`¶

`redis_password`¶

`redis_db`¶

`memcached_addr`¶

`memcached_claims`¶

`cookie_name`¶

`cookie_domain`¶