Session expiration and keepalive settings ignored

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OSE and OSD version: 2.15 (didnt work with 2.13 and 2.14 either)
Browser: Vivaldi

Describe the issue:
User is forced to relogin after browser is closed.

Similar to a recent issue

These options seems to be ignored

  • ‘opensearch_security.cookie.ttl: 86400000’
  • ‘opensearch_security.session.ttl: 86400000’
  • ‘opensearch_security.session.keepalive: true’

I have no issue with frequent logouts, but with that that cookie is set as “session cookie” regardless of what I configure. This also happens when local account is used - only difference is that wiht local login there is one cookie set: security_authentication
With oidc login there is security_authentication AND security_authentication_oidc1.

In both cases the cookie is deleted after browser is closed. If I modify expiration date of cookie, everything work after closing and reopening the browser.

Any idea what might be wrong ?

Hi @haagen,

Have you tried any alternative browsers other than Vivaldi?

Looks like the fix was introduced in OS 2.13, please see the related: Azure idp SAML session expiration and how to decipher: security_authentication_saml1, security_authentication - #5 by Mantas


Hi @Mantas, thank you very much for your reply.

I’ve tried Chrome and Firefox as well :(.
There might be a difference between SAML and OIDC auth flow e.g. SAML might be fixed, but OIDC might not be - at least it looks like it.

I did some more digging and it looks like the values above are not respected when integrating with Azure SAML, you will have to look at the IDP to see if you can adjust TTL.