🚀 Feature: multiple session durations #392

Open
opened 2026-02-04 19:25:15 +03:00 by OVERLORD · 6 comments
Owner

Originally created by @Tone866 on GitHub (Jul 25, 2025).

Feature description

I would like to see a „remember me“ option, so you can set 2 different session durations.
One short and one long.

Pitch

I would use a remember me option for my personal devices and would uncheck it on everything else, so even if I forget to logoff, it‘s at least not that long logged in anyway.

Originally created by @Tone866 on GitHub (Jul 25, 2025). ### Feature description I would like to see a „remember me“ option, so you can set 2 different session durations. One short and one long. ### Pitch I would use a remember me option for my personal devices and would uncheck it on everything else, so even if I forget to logoff, it‘s at least not that long logged in anyway.
OVERLORD added the needs more upvotes label 2026-02-04 19:25:15 +03:00
Author
Owner

@stonith404 commented on GitHub (Jul 26, 2025):

Thanks for the suggestion. I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients.

@stonith404 commented on GitHub (Jul 26, 2025): Thanks for the suggestion. I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients.
Author
Owner

@Tone866 commented on GitHub (Jul 27, 2025):

I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients.

Really? With clients I mean the OIDC-Clients, not enduser clients like smartphones.
So if I would create two different OIDC-Clients in Pocket-ID, say secure.example.com and lesssecure.example.com, it‘s not possible to create custom session times on base from which url the request is coming from?

@Tone866 commented on GitHub (Jul 27, 2025): > I've removed the second part of the feature request because an OIDC provider (like Pocket ID) can't define the session duration of its clients. Really? With clients I mean the OIDC-Clients, not enduser clients like smartphones. So if I would create two different OIDC-Clients in Pocket-ID, say secure.example.com and lesssecure.example.com, it‘s not possible to create custom session times on base from which url the request is coming from?
Author
Owner

@stonith404 commented on GitHub (Aug 8, 2025):

Sorry for my late response. Yes, please see my comment (https://github.com/pocket-id/pocket-id/issues/792#issuecomment-3164845967) in another issue.

@stonith404 commented on GitHub (Aug 8, 2025): Sorry for my late response. Yes, please see my comment (https://github.com/pocket-id/pocket-id/issues/792#issuecomment-3164845967) in another issue.
Author
Owner

@Tone866 commented on GitHub (Aug 13, 2025):

OIDC clients usually don't rely on the session duration of the access token because they only use the access token once when the user signs in to retrieve its data.

I'm using mod_auth_openidc and to me it looks like I could do this, when I set the SessionMaxDuration to 0:

When set to 0, the session duration will be set equal to the expiry time of the ID token.

@Tone866 commented on GitHub (Aug 13, 2025): >OIDC clients usually don't rely on the session duration of the access token because they only use the access token once when the user signs in to retrieve its data. I'm using [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc/tree/master) and to me it looks like I could do this, when I set the SessionMaxDuration to 0: >When set to 0, the session duration will be set equal to the expiry time of the ID token.
Author
Owner

@stonith404 commented on GitHub (Aug 13, 2025):

In my opinion this option should get removed by mod_auth_openidc because the OIDC spec defines that ID tokens shouldn't be used to define the session duration.

NOTE: The ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP.

@stonith404 commented on GitHub (Aug 13, 2025): In my opinion this option should get removed by mod_auth_openidc because the [OIDC spec defines](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) that ID tokens shouldn't be used to define the session duration. > NOTE: The ID Token expiration time is unrelated the lifetime of the authenticated session between the RP and the OP.
Author
Owner

@jlssmt commented on GitHub (Dec 28, 2025):

I don't know if this is possible, but it would be very useful to be able to set longer sessions for specific IP ranges.
For example, local IPs could have a session of 30 days, while public IPs could have a session of only one day.

@jlssmt commented on GitHub (Dec 28, 2025): I don't know if this is possible, but it would be very useful to be able to set longer sessions for specific IP ranges. For example, local IPs could have a session of 30 days, while public IPs could have a session of only one day.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#392