5. Authelia session settings

Feb 7, 2026 • authelia • 2 min read

To implement different session lengths for different subdomains (e.g., a "short" session for a sensitive financial app and a "long" session for a media server), you use the Access Control rules in your configuration.yml.
While the global session is defined in the session block, you can override the security requirements per domain.

1. Configure Different Session Durations

In Authelia, the session block defines the maximum age of the cookie, but you can use inactivity to force logs-outs on specific services by setting a strict global default and then relaxing it for others.
However, the most common way to handle "sensitive" apps is to force 2FA on them while allowing 1FA on others.

2. Implementation in configuration.yml

Here is how you structure the access_control section to treat subdomains differently:

YAML

access_control:
default_policy: 'deny' # Secure by default
rules:
# 1. The "Sensitive" App: Requires 2FA (e.g., Duo or Passkey)
- domain: 'vault.britbuzz.uk'
policy: 'two_factor'

# 2. The "Standard" App: Requires 1FA (Username/Password)
- domain: 'vscode.britbuzz.uk'
policy: 'one_factor'

# 3. The "Public" App: No login required (but still passes through Authelia for headers)
- domain: 'public.britbuzz.uk'
policy: 'bypass'

---

3. Handling "Remember Me"

If you want users to stay logged in for days on certain devices but not others, ensure you have the remember_me option enabled in your session config:

YAML

session:
# ... other settings ...
remember_me: 30d # Users can check a box to stay logged in for 30 days

---

4. Advanced: Multiple Session Providers (Rare)

If you truly need a 15-minute timeout for finance.britbuzz.uk and a 7-day timeout for plex.britbuzz.uk, Authelia currently does not support two different session timers in a single instance.
The workaround:
You would run two separate Authelia containers:

authelia-short: Configured with a 15m session.
authelia-long: Configured with a 1d session.

Then, in Traefik, you would point the specific routers to the different middleware:

finance-router -> auth-short@file
media-router -> auth-long@file

Next Step

Since we've discussed 2FA requirements for specific domains, would you like me to show you the Duo API configuration block so you can start testing that "two_factor" policy on your sensitive apps?