Forever sessions

From DreamFactory
Jump to: navigation, search
DreamFactoryTutorialsForever sessions

This tutorial builds on the concepts covered in the other User Authentication tutorials. Normally JWT session tokens can only be refreshed prior to the DF_JWT_REFRESH_TTL timer expiring. By enabling forever sessions you can force the system to ignore DF_JWT_REFRESH_TTL and allow refresh at any time (forever). This is similar to the Facebook model, where a device remains logged into an account forever, unless explicitly logged out. The session token will still expire after DF_JWT_TTL and require refreshing, but it can be refreshed forever.


To set up forever sessions, configure DF_ALLOW_FOREVER_SESSIONS and DF_JWT_TTL in the .env file. Note that DF_JWT_REFRESH_TTL will be ignored once DF_ALLOW_FOREVER_SESSIONS is set to true.

The .env file for a DreamFactory instance is located at the installation's root directory. Refer to the example .env-dist file provided in the GitHub repository here.


In .env, add or un-comment this line and set the value to true:


To make sure forever session is enabled, make the following API call.

GET http://{url}/api/v2/system/environment

Look for the following in your response.



In .env, add or un-comment this line and set the value to your desired TTL in minutes. A session refresh will be required to receive a new session token after this many minutes.


The above setting will require a session refresh every 12 hours (720 minutes).

3. Clear config

Run this command from the root directory for your DreamFactory instance installation.

php artisan config:clear


  • A forever session is instantiated if the client sets "remember_me": true at login.
  • Forever sessions may be refreshed to receive a new session token at any time, including after DF_JWT_REFRESH_TTL expires.
  • If a session is deleted, it may no longer be refreshed. Logging in again with valid credentials will be required.