Session management
editSession management
editWhen you log in, Kibana creates a session that is used to authenticate subsequent requests to Kibana. A session consists of two components: an encrypted cookie that is stored in your browser, and an encrypted document in a dedicated Elasticsearch hidden index. By default, the name of that index is .kibana_security_session_1
, where the prefix is derived from the primary .kibana
index. If either of these components are missing, the session is no longer valid.
When your session expires, or you log out, Kibana will invalidate your cookie and remove session information from the index. Kibana also periodically invalidates and removes any expired sessions that weren’t explicitly invalidated.
To manage user sessions programmatically, Kibana exposes session management APIs. For details, check out Session and cookie security settings.
Session idle timeout
editYou can use xpack.security.session.idleTimeout
to expire sessions after a period of inactivity. This and xpack.security.session.lifespan
are both highly recommended.
By default, sessions expire after 8 hours of inactivity. To define another value for a sliding session expiration, set the property in the kibana.yml
configuration file. The idle timeout is formatted as a duration of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 20m, 24h, 7d, 1w). For example, set the idle timeout to expire sessions after 30 minutes of inactivity:
xpack.security.session.idleTimeout: "30m"
Session lifespan
editYou can use xpack.security.session.lifespan
to configure the maximum session duration or "lifespan" — also known as the "absolute timeout". This and xpack.security.session.idleTimeout
are both highly recommended. By default, a maximum session lifespan is 30 days. To define another lifespan, set the property in the kibana.yml
configuration file. The lifespan is formatted as a duration of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 20m, 24h, 7d, 1w). For example, set the lifespan to expire sessions after 7 days:
xpack.security.session.lifespan: "7d"
Session cleanup interval
editIf you disable session idle timeout and lifespan, then Kibana will not automatically remove session information from the index unless you explicitly log out. This might lead to an infinitely growing session index. As long as either idle timeout or lifespan is configured, Kibana sessions will be cleaned up even if you don’t explicitly log out.
You can configure the interval at which Kibana tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour and cannot be less than 10 seconds. To define another interval, set the xpack.security.session.cleanupInterval
property in the kibana.yml
configuration file. The interval is formatted as a duration of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 20m, 24h, 7d, 1w). For example, schedule the session index cleanup to perform once a day:
xpack.security.session.cleanupInterval: "1d"