feat: add session expiry control flags (#5976)

Adds --session-duration which lets admins customize the default session expiration for browser sessions. Adds --disable-session-expiry-refresh which allows admins to prevent session expiry from being automatically bumped upon the API key being used.
2025-07-09 11:45:56 +00:00 · 2023-02-04 04:38:36 +11:00
parent 2285a5e8a0
commit cf9abe3a6c
16 changed files with 225 additions and 37 deletions
--- a/cli/testdata/coder_server_--help.golden
+++ b/cli/testdata/coder_server_--help.golden
@ -91,6 +91,11 @@ Flags:
                                                     recommended for security purposes if a
                                                     --wildcard-access-url is configured.
                                                     Consumes $CODER_DISABLE_PATH_APPS
+      --disable-session-expiry-refresh               Disable automatic session expiry bumping
+                                                     due to activity. This forces all sessions
+                                                     to become invalid after the session
+                                                     expiry duration has been reached.
+                                                     Consumes $CODER_DISABLE_SESSION_EXPIRY_REFRESH
      --experiments strings                          Enable one or more experiments. These are
                                                     not ready for production. Separate
                                                     multiple experiments with commas, or
@ -111,8 +116,8 @@ Flags:
      --log-stackdriver string                       Output Stackdriver compatible logs to a
                                                     given file.
                                                     Consumes $CODER_LOGGING_STACKDRIVER
-      --max-token-lifetime duration                  The maximum lifetime duration for any
-                                                     user creating a token.
+      --max-token-lifetime duration                  The maximum lifetime duration users can
+                                                     specify when creating an API token.
                                                     Consumes $CODER_MAX_TOKEN_LIFETIME
                                                     (default 720h0m0s)
      --oauth2-github-allow-everyone                 Allow all logins, setting this option
@ -222,6 +227,13 @@ Flags:
      --secure-auth-cookie                           Controls if the 'Secure' property is set
                                                     on browser session cookies.
                                                     Consumes $CODER_SECURE_AUTH_COOKIE
+      --session-duration duration                    The token expiry duration for browser
+                                                     sessions. Sessions may last longer if
+                                                     they are actively making requests, but
+                                                     this functionality can be disabled via
+                                                     --disable-session-expiry-refresh.
+                                                     Consumes $CODER_MAX_SESSION_EXPIRY
+                                                     (default 24h0m0s)
      --ssh-keygen-algorithm string                  The algorithm to use for generating ssh
                                                     keys. Accepted values are "ed25519",
                                                     "ecdsa", or "rsa4096".