From 202ec0a827ca5b99e3d851349a606f4723d611cf Mon Sep 17 00:00:00 2001 From: erikjohnston Date: Tue, 20 Jun 2023 17:57:15 +0000 Subject: deploy: 7d3da399dd905d2a05da5a1941e996cbf2380e99 --- .../usage/configuration/config_documentation.html | 48 ++++++++++++++-------- 1 file changed, 32 insertions(+), 16 deletions(-) (limited to 'latest/usage/configuration/config_documentation.html') diff --git a/latest/usage/configuration/config_documentation.html b/latest/usage/configuration/config_documentation.html index 26a051c6c3..a92798d0b1 100644 --- a/latest/usage/configuration/config_documentation.html +++ b/latest/usage/configuration/config_documentation.html @@ -2268,6 +2268,38 @@ retrospectively to existing sessions for users that have already logged in.

nonrefreshable_access_token_lifetime: 24h
 

+

ui_auth

+

The amount of time to allow a user-interactive authentication session to be active.

+

This defaults to 0, meaning the user is queried for their credentials +before every action, but this can be overridden to allow a single +validation to be re-used. This weakens the protections afforded by +the user-interactive authentication process, by allowing for multiple +(and potentially different) operations to use the same validation session.

+

This is ignored for potentially "dangerous" operations (including +deactivating an account, modifying an account password, adding a 3PID, +and minting additional login tokens).

+

Use the session_timeout sub-option here to change the time allowed for credential validation.

+

Example configuration:

+
ui_auth:
+    session_timeout: "15s"
+
+
+

login_via_existing_session

+

Matrix supports the ability of an existing session to mint a login token for +another client.

+

Synapse disables this by default as it has security ramifications -- a malicious +client could use the mechanism to spawn more than one session.

+

The duration of time the generated token is valid for can be configured with the +token_timeout sub-option.

+

User-interactive authentication is required when this is enabled unless the +require_ui_auth sub-option is set to False.

+

Example configuration:

+
login_via_existing_session:
+    enabled: true
+    require_ui_auth: false
+    token_timeout: "5m"
+
+

Metrics

Config options related to metrics.


@@ -3073,22 +3105,6 @@ Defaults to false. require_uppercase: true
-

ui_auth

-

The amount of time to allow a user-interactive authentication session to be active.

-

This defaults to 0, meaning the user is queried for their credentials -before every action, but this can be overridden to allow a single -validation to be re-used. This weakens the protections afforded by -the user-interactive authentication process, by allowing for multiple -(and potentially different) operations to use the same validation session.

-

This is ignored for potentially "dangerous" operations (including -deactivating an account, modifying an account password, and -adding a 3PID).

-

Use the session_timeout sub-option here to change the time allowed for credential validation.

-

Example configuration:

-
ui_auth:
-    session_timeout: "15s"
-
-

Push

Configuration settings related to push notifications


-- cgit 1.5.1