Ability to set MFA cookie's settings independent of the main authentication session's cookie's settings?

It appears that the mfa cookies, auth0-mf and auth0-mf-compat, share the same tenant “Session Expiration” settings as the normal login session’s cookies, presumably auth0 and auth0-compat.

For example, we have these settings set in our Auth0 tenant “Session Expiration” settings:

session-expiration-settings2070×1514 218 KB

We’ve set these as this is how we want our normal login session to behave. Importantly, we wish it be non-persistent (session will expire when the browser is closed).

The issue is that this non-persistent session is also getting applied to the MFA cookie as well. On the MFA page there is a setting to “Remember this device for 30 days”

remember-device912×1170 57.5 KB

Because we have our “Session Expiration” settings set to “Non-persistent”, our MFA cookie is non-persistent as well, meaning the device is being “forgotten” when the browser is closed, and not after 30 days, essentially defeating the purpose of the checkbox.

We’d like to be able to manage these cookies separately, where we can have our login session be non-persistent, while our MFA cookie is persistent.

Is this possible?

The best reference I could find, although it does not answer this question: MFA Session Cookie (auth0-mf)

Hi @vance.morrison

Welcome back to the Auth0 Community!

Auth0 does not currently allow you to configure different persistence or expiration settings for the main login session cookies versus the MFA cookies. The tenant session settings (Session Expiration and Idle Session Lifetime) apply to both the standard session cookies and the MFA cookies, so you cannot make one non-persistent while making the other persist for 30 days via the built-in “Remember this device” option.

Thanks
Dawid

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.