• Stan Hu's avatar
    Limit the TTL for anonymous sessions to 1 hour · ccebbc97
    Stan Hu authored
    By default, all sessions are given the same expiration time configured in the
    session store (e.g. 1 week). However, unauthenticated users can generate a lot
    of sessions, primarily for CSRF verification. It makes sense to reduce the TTL
    for unauthenticated to something much lower than the default (e.g. 1 hour) to
    limit Redis memory. In addition, Rails creates a new session after login,
    so the short TTL doesn't even need to be extended.
    
    Closes #48101
    ccebbc97
sh-limit-unauthenticated-session-times.yml 105 Bytes