Hi. From what I understand I’m supposed to get a p...
# ory-networkf
few-balloon-32118
01/25/2023, 2:26 PMHi. From what I understand I’m supposed to get a privileged session with a 15 minute timeout as configured under “Session Settings” in the console, when I provide the email code I’ve received during the password recovery flow.
After providing the correct code, I’m instead getting a session with 3 days timeout, as configured in the “Session lifespan”. Pasting the session in the comments.
There is also no
privileged_session_max_agefew-balloon-32118
01/25/2023, 2:26 PM Copy code
{
"id": "41baab60-3d5f-423a-8f62-43f5a240bd2a",
"active": true,
"expires_at": "2023-01-28T14:18:36.976946Z",
"authenticated_at": "2023-01-25T14:18:36.976946Z",
"authenticator_assurance_level": "aal1",
"authentication_methods": [
{
"method": "code_recovery",
"aal": "aal1",
"completed_at": "2023-01-25T14:18:36.977176492Z"
}
],
"issued_at": "2023-01-25T14:18:36.976946Z",
"identity": {
"id": "03414d9b-cf6d-4f02-96bb-7dacc99aa2f8",
"schema_id": "9dffebdc3d30d3d502d5e1d581258206f65fb03106cdfa8a68b2a8a672e1796905c13e887777cf2cd9a811701a7166fa1ccaff925f37b0022e013f312c78ca00",
"schema_url": "<http://localhost:4000/schemas/OWRmZmViZGMzZDMwZDNkNTAyZDVlMWQ1ODEyNTgyMDZmNjVmYjAzMTA2Y2RmYThhNjhiMmE4YTY3MmUxNzk2OTA1YzEzZTg4Nzc3N2NmMmNkOWE4MTE3MDFhNzE2NmZhMWNjYWZmOTI1ZjM3YjAwMjJlMDEzZjMxMmM3OGNhMDA>",
"state": "active",
"state_changed_at": "2023-01-25T13:21:27.834188Z",
"traits": {
"email": "<removed>",
"firstName": "Supplier",
"lastName": "Supplierson"
},
"verifiable_addresses": [
{
"id": "3ede395b-e7d7-45af-befc-aa08c53d270a",
"value": "<removed>",
"verified": true,
"via": "email",
"status": "completed",
"verified_at": "2023-01-25T13:22:18.423116Z",
"created_at": "2023-01-25T13:21:27.849935Z",
"updated_at": "2023-01-25T13:21:27.849935Z"
}
],
"recovery_addresses": [
{
"id": "fabbdbb7-ca12-4302-94f7-fbd4f0c58bcc",
"value": "<removed>",
"via": "email",
"created_at": "2023-01-25T13:21:27.856163Z",
"updated_at": "2023-01-25T13:21:27.856163Z"
}
],
"created_at": "2023-01-25T13:21:27.844582Z",
"updated_at": "2023-01-25T13:21:27.844582Z"
},
"devices": [
{
"id": "73900499-40e3-4b83-8431-113c00b24551",
"ip_address": "<removed>",
"user_agent": "<removed>",
"location": "<removed>"
}
]
}r
refined-kangaroo-48640
01/25/2023, 4:14 PMThe session is considered privileged for the first 15min of its life. After that, its still valid but not privileged.
f
few-balloon-32118
01/25/2023, 7:15 PMI see, thank you.
Is there any way of recognizing that a session is privileged?
r
refined-kangaroo-48640
01/25/2023, 7:38 PMYou can calculate if the
authenticated_atf
few-balloon-32118
01/25/2023, 7:46 PMOkay, so I guess that means that the first 15 minutes of every session is considered a privileged session? And that I’m really just performing a regular login using the email-code I received during the recovery flow?
r
refined-kangaroo-48640
01/25/2023, 7:51 PMYep. See https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset (3rd paragraph)
f
few-balloon-32118
01/25/2023, 7:55 PMYes I’ve read through that section a couple of times. I guess it could be emphasized that it’s just a regular session where the first 15 minutes are “privileged”. A “privileged session” seems like something completely separate from a regular session if you’re not familiar with the concept. Just some feedback from an authentication-noob😄
r
refined-kangaroo-48640
01/25/2023, 7:57 PMFeedback is appreciated 👍
There’s also this section: https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions
f
few-balloon-32118
01/25/2023, 8:00 PMThank you 👍
Btw I noticed that the 3rd paragraph here: https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset has a link going here: https://www.ory.sh/docs/kratos/session-management/overview#privileged-sessions but that page does not contain any information about privileged sessions.
r
refined-kangaroo-48640
01/25/2023, 8:12 PMGood catch! Will fix
39 Views