diff --git a/crates/defguard_common/src/config.rs b/crates/defguard_common/src/config.rs
index 6db70311a..1423806ef 100644
--- a/crates/defguard_common/src/config.rs
+++ b/crates/defguard_common/src/config.rs
@@ -40,6 +40,7 @@ pub struct DefGuardConfig {
 
     #[arg(long, env = "DEFGUARD_AUTH_COOKIE_TIMEOUT", default_value = "7d")]
     #[serde(skip_serializing)]
+    #[deprecated(since = "2.0.0", note = "Use Settings.default_authentication instead")]
     pub auth_cookie_timeout: Duration,
 
     #[arg(long, env = "DEFGUARD_SECRET_KEY")]
@@ -93,7 +94,9 @@ pub struct DefGuardConfig {
     // relying party id and relying party origin for WebAuthn
     #[arg(long, env = "DEFGUARD_WEBAUTHN_RP_ID")]
     pub webauthn_rp_id: Option<String>,
+
     #[arg(long, env = "DEFGUARD_URL", value_parser = Url::parse, default_value = "http://localhost:8000")]
+    #[serde(skip_serializing)]
     #[deprecated(since = "2.0.0", note = "Use Settings.defguard_url instead")]
     pub url: Url,
 
@@ -112,6 +115,7 @@ pub struct DefGuardConfig {
     pub stats_purge_threshold: Duration,
 
     #[arg(long, env = "DEFGUARD_ENROLLMENT_URL", value_parser = Url::parse, default_value = "http://localhost:8080")]
+    #[serde(skip_serializing)]
     #[deprecated(since = "2.0.0", note = "Use Settings.public_proxy_url instead")]
     pub enrollment_url: Url,
 
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_login.rs b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
index a7078488a..5306f0da8 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_login.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
@@ -605,7 +605,11 @@ pub(crate) async fn auth_callback(
     let (session, user_info, mfa_info) =
         create_session(&appstate.pool, insecure_ip, user_agent.as_str(), &mut user).await?;
 
-    let max_age = Duration::seconds(config.auth_cookie_timeout.as_secs() as i64);
+    let timeout = Settings::get_current_settings().authentication_timeout();
+    let max_age = Duration::try_from(timeout).map_err(|err| {
+        error!("Failed to convert authentication timeout for cookie max-age: {err}");
+        WebError::Http(StatusCode::INTERNAL_SERVER_ERROR)
+    })?;
     let cookie_domain = config
         .cookie_domain
         .as_ref()
diff --git a/crates/defguard_core/src/handlers/auth.rs b/crates/defguard_core/src/handlers/auth.rs
index dc6cb8494..a5ccd001e 100644
--- a/crates/defguard_core/src/handlers/auth.rs
+++ b/crates/defguard_core/src/handlers/auth.rs
@@ -237,7 +237,11 @@ pub(crate) async fn authenticate(
     let (session, user_info, mfa_info) =
         create_session(&appstate.pool, insecure_ip, user_agent.as_str(), &mut user).await?;
 
-    let max_age = Duration::seconds(server_config().auth_cookie_timeout.as_secs() as i64);
+    let timeout = Settings::get_current_settings().authentication_timeout();
+    let max_age = Duration::try_from(timeout).map_err(|err| {
+        error!("Failed to convert authentication timeout for cookie max-age: {err}");
+        WebError::Http(StatusCode::INTERNAL_SERVER_ERROR)
+    })?;
     let config = server_config();
     let cookie_domain = config
         .cookie_domain