Limit the TTL for anonymous sessions to 1 hour

By default, all sessions are given the same expiration time configured in the
session store (e.g. 1 week). However, unauthenticated users can generate a lot
of sessions, primarily for CSRF verification. It makes sense to reduce the TTL
for unauthenticated to something much lower than the default (e.g. 1 hour) to
limit Redis memory. In addition, Rails creates a new session after login,
so the short TTL doesn't even need to be extended.

Closes #48101

1 files changed, 1 insertions, 0 deletions

diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 4b9cc59ec45..44bc72a7185 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -140,6 +140,7 @@ Settings.gitlab['default_projects_features'] ||= {}
 Settings.gitlab['webhook_timeout'] ||= 10
 Settings.gitlab['max_attachment_size'] ||= 10
 Settings.gitlab['session_expire_delay'] ||= 10080
+Settings.gitlab['unauthenticated_session_expire_delay'] ||= 1.hour.to_i
 Settings.gitlab.default_projects_features['issues']             = true if Settings.gitlab.default_projects_features['issues'].nil?
 Settings.gitlab.default_projects_features['merge_requests']     = true if Settings.gitlab.default_projects_features['merge_requests'].nil?
 Settings.gitlab.default_projects_features['wiki']               = true if Settings.gitlab.default_projects_features['wiki'].nil?