Parameter:
OIDC_LOGIN_COOKIE_DURATION_SECShort description: Lifetime of the OIDC login session cookie in seconds – after that, the user must re-authenticate with the OIDC provider.
Profile
Parameter | OIDC_LOGIN_COOKIE_DURATION_SEC |
Category | Security / TLS |
Component | Server |
Available since | 12.0.2 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 30–900 seconds (default 120) |
Description
After a successful OIDC login, Domino sets a session cookie that confirms authentication for a limited time.
OIDC_LOGIN_COOKIE_DURATION_SEC defines how long this cookie remains valid before Domino queries the IdP again. Shorter times (30–60 s) increase security – revoked accounts or policy changes take effect faster – but cause more round trips to the IdP. Longer times (300–900 s) reduce IdP load and are more pleasant for single-page apps with many XHR calls.Example configuration
OIDC_LOGIN_COOKIE_DURATION_SEC=300
Notes & pitfalls
- Make a deliberate trade-off between security (short lifetime) and performance (long lifetime).
- Takes effect after an HTTP restart.
- For especially critical applications, additionally limit the lifetime on the application side (re-auth trigger).
- Pairs with
OIDC_LOGIN_CLOCK_SKEW_SEC,OIDC_LOGIN_ENABLE_REDIRECT, and Internet Site session settings.
- The IdP-side token lifetime should be at least as long as this cookie duration.