Hello all!
I am looking for a technical clarification. I know some parts of this are present in the documentation and in some other topics here, but I don’t think any of those fully answer my question, which is actually quite practical:
Between those three TTLs (SESSION_COOKIE_TTL, REFRESH_TOKEN_TTL and ACCESS_TOKEN_TTL), how do they control browser-based access to the Admin front-end?
As a practical example: if I want to have a very long-lasting session TTL while the user is making operations, but as soon as they stop (for example close the browser or go to the toilet or whatever), the session should end shortly (say, 5 minutes).
Does this mean I can have something like the following?
SESSION_COOKIE_TTL = 4m
REFRESH_TOKEN_TTL = 5m
ACCESS_TOKEN_TTL = 4m
How would that compare to something like this?
Does this mean I can have something like the following?
SESSION_COOKIE_TTL = 4m
REFRESH_TOKEN_TTL = 5d
ACCESS_TOKEN_TTL = 4m
(Notice the much longer REFRESH_TOKEN_TTL). Does this mean that the session expires just the same, but I am then taken to the “reauthentication” screen that lets me just press “Continue” without entering a password, at any time within 5 days?
Thank you in advance for the clarifications, and thank you for the amazing piece of software!