To implement a "trust me for 30 days" feature in Ory, you typically want to extend the session lifespan so that users remain authenticated for 30 days without needing to re-authenticate. You can achieve this by setting the session lifespan to 30 days (720 hours) in your Ory Identities configuration. Here’s how you can do it: 1. Ory Console: Go to Session Settings in the [Ory Console](https://console.ory.sh/), enter

720h

as the session lifespan, and click Save. 2. Ory CLI: Download your current configuration, update the session lifespan, and upload it back:

bash    # Download config    ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

Edit your

identity-config.yaml

to include:

yaml    session:      cookie:        domain: $<http://PROJECT_SLUG.projects.oryapis.com|PROJECT_SLUG.projects.oryapis.com>        name: ory_session_{name}        path: /        persistent: false        same_site: Lax      lifespan: 720h

Then update your project:

bash    ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml

This will keep the user session valid for 30 days, effectively implementing a "trust me for 30 days" feature. If you want the session cookie to persist even after the browser is closed, ensure the

persistent

flag is set appropriately for your use case. By default, the session cookie's

max-age

matches the session lifespan, so the browser will keep the session for 30 days unless the user logs out or the session is revoked. For more details, see the official documentation on [session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-lifespan)<source>https://www.ory.sh/docs/kratos/session-management/session-lifespan&lt;/source>.

@chilly-king-10285 can i do it for 2fa as well?

Based on the knowledge sources, you can configure the session lifespan (e.g., "trust me for 30 days") for all sessions, including those authenticated with 2FA. However, there is an important distinction between session lifespan and the privileged session or Authenticator Assurance Level (AAL): - Session Lifespan: You can set the session to last 30 days, so users (including those who have completed 2FA) remain logged in for that period unless they log out or the session is revoked. This applies to all sessions, regardless of whether 2FA was used at login [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-lifespan). - 2FA (AAL2) and Privileged Sessions: Ory distinguishes between a session's AAL (e.g., AAL2 for 2FA) and its "privileged" state. The privileged session (used for sensitive actions like changing credentials) is controlled by a separate timer (

privileged_session_max_age

). After this period, even if the session is still valid, the user may be required to re-authenticate with 2FA for privileged actions [Privileged sessions](https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions). - AAL2 Does Not Expire Automatically: Once a session is at AAL2 (2FA), it remains at that level for the session's duration. The AAL does not automatically downgrade after a set time, and there is no built-in timer for AAL2 expiration. If you want to require 2FA again after a certain period, you must implement this logic yourself by checking the time since the last AAL2 authentication (using the

authentication_methods

property in the session object) [Confusing documentation and interface description for AAL and privileged session](https://github.com/ory/network/issues/244). Summary: You can set a 30-day session for users who log in with 2FA, but if you want to require 2FA again after a certain period (shorter than the session lifespan), you need to use the privileged session timer or implement custom logic to enforce re-authentication with 2FA for sensitive actions. There is no built-in "trust this device for 30 days for 2FA" toggle—session and 2FA timing are managed separately.

A message from kapa.ai

The knowledge sources do not describe a built-in way in Ory Kratos to dynamically set the session lifespan per user at login time (e.g., via a "remember me" checkbox that extends the session to 30 days). Session lifespan is configured globally in the Ory Identities (Kratos) configuration and applies to all sessions equally [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-lifespan). There is no documented support for passing a parameter at login to override the session duration for individual users or sessions. The session cookie's persistence (whether it survives browser restarts) can be controlled via the

persistent

flag, but the actual session lifetime remains a global setting [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-lifespan). If you need per-session or per-user session lifetimes (such as a "remember me" feature), you would need to implement custom logic outside of the standard Ory Kratos configuration. This is not supported natively according to the current documentation. Summary: No, you cannot dynamically set the session lifetime per user at login using a checkbox with Ory Kratos' built-in features. The session lifetime is a global configuration value.

Based on the knowledge sources, Ory Kratos does not currently support dynamically setting the session lifespan per user at login time (for example, via a "remember me" checkbox). The session lifespan is a global configuration value that applies to all sessions equally and is set in the Ory Identities configuration. There is no documented way to override this value for individual sessions or users through the login flow or UI options [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-lifespan). If you require this functionality, you would need to implement custom logic outside of the standard Ory Kratos features. The knowledge sources do not provide a built-in solution for this use case.

A message from kapa.ai

No, according to the knowledge sources, Ory Kratos does not support dynamically setting the session lifetime per user at login time (such as with a "remember me" checkbox). The session lifespan is a global configuration value that applies to all sessions and must be set in the configuration file or through the Ory Console. There is no documented way to override this value for individual sessions or users during the login flow [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan#session-lifespan). If you need this feature, you would have to implement custom logic outside of Ory Kratos, as it is not natively supported.