Session Management

Session management is as anti-denial of service (DoS) best practice for API security. A session represents the amount of time a visitor spends on your site and is not related to how long Admin users or customers are logged in to their accounts.

A session is a sequence of network HTTP request and response transactions associated with the same user. It is a way to associate a client (Admin) with their data when they access the server. Sessions provide the ability to establish variables, such as access rights and localization settings, which apply to every interaction a user has with a web application for the duration of the session.

Use the following configuration settings to limit the maximum session size for Admin users and storefront visitors:

  • Max Session Size in Admin—Limit the maximum sessions size in bytes. Use 0 to disable.
  • Max Session Size in Storefront—Limit the maximum sessions size in bytes. Use 0 to disable.

Both settings are measured in bytes and default to 256000 bytes (or 256KB).

Configure maximum session size

  1. On the Admin sidebar, go to Store > Settings > Configuration.

  2. In the left panel, expand Advanced and choose System.

  3. Expand Expansion selector the Security section to access the session settings.

    Session settings

  4. Enter new session size(s) in bytes.

    Setting the value too low can cause issues. If you set either of the options below the 256000 byte default, you will see a warning message. If you click No, the system changes the value to 256000.

  5. Click Save Config.

Admin session

If you exceed the maximum session size, an error displays and the system logs the session size constraint to the var/log directory.

Admin session size error

If you lose access to the Admin after setting the session size too low, use the CLI to reset the configuration:

1
bin/magento config:set system/security/max_session_size_admin 256000

Storefront session

If you exceed the maximum session size, no error displays but the system logs the session size constraint to the var/log directory.