Session lifespan
Each session is valid for a set amount of time. This time is the session's lifespan. When the session lifespan expires, the user must re-authenticate.
In the configuration, session lifespan is expressed in hours, minutes, and seconds. Use a combination of these units to define the
desired lifespan. For example: 72h, 10m, 12s, 1h13m3s.
- Ory Console
- Ory CLI
To change the session lifespan, go to Ory Console → Session Settings, enter the desired lifespan and click the Save button.
For example, to set the session lifespan to 30 days, enter 720h.
- Download the Ory Identities config from your project and save it to a file: - ## List all available projects
 ory list projects
 ## Get config
 ory get identity-config {project-id} --format yaml > identity-config.yaml
- Update the configuration value for session lifespan property to the desired value: config.yml- session:
 cookie:
 domain: {project.slug}.projects.oryapis.com
 name: ory_session_{name}
 path: /
 persistent: false
 same_site: Lax
 lifespan: 720h
- Update the Ory Identities configuration using the file you worked with: - ory update identity-config {project-id} --file identity-config.yaml
Session cookie 'max-age'
By default, the session cookie max-age is the same as the set session lifespan. To disable this behavior and allow to define a
different cookie max-age, set the session/cookie/persistent value to false:
- Ory CLI
- Download the Ory Identities config from your project and save it to a file: - ## List all available projects
 ory list projects
 ## Get config
 ory get identity-config {project-id} --format yaml > identity-config.yaml
- Update the configuration value for session lifespan property to the desired value (Use hour (h), minute (m), second (s) to define interval, for example: 1h1m10s, 10s, 1h) config.yml- session:
 cookie:
 domain: {project.slug}.projects.oryapis.com
 name: ory_session_{name}
 path: /
 persistent: false
 same_site: Lax
 lifespan: 720h0m0s
- Update the Ory Identities configuration using the file you worked with: - ory update identity-config {project-id} --file identity-config.yaml
If max-age is set as a part of the Set-Cookie header, the browser deletes the cookie when it reaches the age defined in
max-age.
When max-age is not set, the browser deletes the cookie when the session ends. The session ends when the set session lifespan
expires, or when the browser is shut down by the user.
Privileged sessions
To perform some profile changes, such as updating the email address, password, or adding/removing 2FA, the user must have a privileged session.
This flow is similar to GitHub's sudo mode.
The session is considered privileged when its authenticated_at is younger than the privileged_session_max_age value defined in
the configuration.
Configuration
- Ory Console
- Ory CLI
To change the privileged session duration, go to Ory Console → Session Settings, enter the desired value in the Privileged Session Age field and click the Save button.
For example, to set the privileged session duration to 15 minutes, enter 15m.
- Download the Ory Identities config from your project and save it to a file. - ## List all available projects
 ory list projects
 ## Get config
 ory get identity-config {project-id} --format yaml > identity-config.yaml
- Update the configuration value for privileged session max age property ( - privileged_session_max_age) to the desired value. For example, to set the privileged session duration to 15 minutes, enter- 15m.config.yml- selfservice:
 flows:
 settings:
 after:
 hooks: []
 password:
 hooks: []
 profile:
 hooks: []
 ui_url: /ui/settings
 privileged_session_max_age: 15m
 required_aal: highest_available
- Update the Ory Identities configuration using the file you worked with. - ory update identity-config {project-id} --file identity-config.yaml
With this configuration in place, the user can perform the actions that require a privileged session up to 15 minutes after signing in. When this time passes, the user must re-authenticate to access these options.