Session management is as anti-denial of service (DoS) best practice for API security. A session represents the amount of time a visitor spends on your site and is not related to how long Admin users or customers are logged in to their accounts.
A session is a sequence of network HTTP request and response transactions associated with the same user. It is a way to associate a client (Admin) with their data when they access the server. Sessions provide the ability to establish variables, such as access rights and localization settings, which apply to every interaction a user has with a web application for the duration of the session.
Use the following configuration settings to limit the maximum session size for Admin users and storefront visitors:
- Max Session Size in Admin—Limit the maximum sessions size in bytes. Use
- Max Session Size in Storefront—Limit the maximum sessions size in bytes. Use
Both settings are measured in bytes and default to
256000 bytes (or 256KB).
Configure maximum session size
On the Admin sidebar, go to Store > Settings > Configuration.
In the left panel, expand Advanced and choose System.
Expand the Security section to access the session settings.
Enter new session size(s) in bytes.
Setting the value too low can cause issues. If you set either of the options below the 256000 byte default, you will see a warning message. If you click No, the system changes the value to
Click Save Config.
If you exceed the maximum session size, an error displays and the system logs the session size constraint to the
If you lose access to the Admin after setting the session size too low, use the CLI to reset the configuration:
1 bin/magento config:set system/security/max_session_size_admin 256000
If you exceed the maximum session size, no error displays but the system logs the session size constraint to the