Limit the TTL for anonymous sessions to 1 hour (!20700) · Merge requests · GitLab.org / GitLab FOSS

Stan Hu requested to merge sh-limit-unauthenticated-session-times into master Jul 18, 2018

By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week). However, unauthenticated users can generate a lot of sessions, primarily for CSRF verification. It makes sense to reduce the TTL for unauthenticated to something much lower than the default (e.g. 1 hour) to limit Redis memory. In addition, Rails creates a new session after login, so the short TTL doesn't even need to be extended.

Closes #48101 (closed)

Admin message

Limit the TTL for anonymous sessions to 1 hour

Merge request reports