Skip to content

[6.x] Add config for disabling Elevated Sessions#14464

Merged
jasonvarga merged 11 commits intostatamic:6.xfrom
1stevengrant:disable-elevated-session
Apr 21, 2026
Merged

[6.x] Add config for disabling Elevated Sessions#14464
jasonvarga merged 11 commits intostatamic:6.xfrom
1stevengrant:disable-elevated-session

Conversation

@1stevengrant
Copy link
Copy Markdown
Contributor

@1stevengrant 1stevengrant commented Apr 9, 2026
edited by jasonvarga
Loading

Summary

  • Adds an elevated_sessions_enabled config option to config/users.php that allows disabling elevated sessions entirely
  • It's also available by setting STATAMIC_ELEVATED_SESSIONS_ENABLED=false in your .env file.
  • When disabled, the RequireElevatedSession middleware is bypassed, so users are never prompted to reauthorize
  • Includes tests validating the disabled behavior

Context

Our Statamic implementation uses Auth0 as the primary auth driver, which means elevated sessions (password re-confirmation) are not applicable since authentication is handled externally. This config option allows us (and others using OAuth providers) to cleanly disable the feature.

References:

@1stevengrant 1stevengrant changed the title Add config for disabling Elevated Sessions [6.x] Add config for disabling Elevated Sessions Apr 9, 2026
jasonvarga
jasonvarga previously requested changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasonvarga jasonvarga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opting out of a security feature like this feels awkward.

How are you implementing OAuth on your site? It might make sense if the Elevated Session page allowed you to re-authenticate however you authenticated in the first place.

That might be a big rabbit hole though. It'll probably end up better to just allow a way to disable it in the end, but I'd still like to know.

In any case, could you change it to elevated_sessions_enabled (with true as the default) as having disabled: true always feels backwards.

@1stevengrant
Copy link
Copy Markdown
Contributor Author

1stevengrant commented Apr 9, 2026

We use Auth0 to authenticate via OTP.

There's a customised login screen hosted with them and then we have a success callback that handles Laravel auth.

We never login via the control panel.

Works fine currently with v5.

@jasonvarga
Copy link
Copy Markdown
Member

jasonvarga commented Apr 9, 2026

Fair enough. Yeah let's just flip the config to be _enabled rather than _disabled then.

@1stevengrant 1stevengrant requested a review from jasonvarga April 10, 2026 01:30
@jasonvarga
Copy link
Copy Markdown
Member

jasonvarga commented Apr 17, 2026

Pausing this until #14424 is done.

@jasonvarga jasonvarga marked this pull request as draft April 17, 2026 17:56
@jasonvarga jasonvarga dismissed their stale review April 17, 2026 17:56

Requested change was made.

jasonvarga and others added 4 commits April 21, 2026 10:59
@jasonvarga
Merge remote-tracking branch 'origin/6.x' into disable-elevated-session
b8ad194 
# Conflicts:
#	src/Http/Middleware/CP/RequireElevatedSession.php
@jasonvarga
wip
b5476f5
@jasonvarga @claude
Rename config to singular elevated_session_enabled
72d3457 
Matches the existing singular elevated_session_duration and elevated_session_url keys.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga @claude
Skip registering elevated session routes when disabled
2f56836 
Also exposes the flag to JS so the requireElevatedSession helper
short-circuits before hitting the (now absent) status endpoint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga jasonvarga marked this pull request as ready for review April 21, 2026 17:53
jasonvarga and others added 2 commits April 21, 2026 14:01
@jasonvarga @claude
Rename config to plural elevated_sessions_enabled
20fec31 
Feature-level boolean reads better as plural. Kept elevated_session_duration
singular since "duration of a session" is semantically about one session.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga @claude
Allow elevated sessions to be toggled via env var
7f70cf4 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga jasonvarga merged commit 3bb9286 into statamic:6.x Apr 21, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonvarga jasonvarga Awaiting requested review from jasonvarga

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@1stevengrant @jasonvarga @nicbovee