api.session.setExpiryAt() in post-login action fails to expire session

Using an post-login action to expire the session to a configured length of time for a particular customer.

Referencing the code below, I see that the relevant setExpiryAt() calls are executed because I see “Session/token expires in…” in the Action Execution logs for my login tests.

And yet my session does not expire. What am I missing?

Here’s the relevant code:

        ...
    if (sessionTimeoutMinutes) {
      if (!event.session) {
        console.log("!!!!! event.session undefined")
      }
      else if (!event.session.id) {
        console.log(`!!!!! no session.id - session: ${JSON.stringify(event.session)}`)
      } else {
        const expirationTimeMs = sessionTimeoutMinutes * 60 * 1000;
        const expiresAt = Date.now() + expirationTimeMs;
        api.session.setExpiresAt(expiresAt);
        api.refreshToken.setExpiresAt(expiresAt);
        console.log(`>Session/token expires in ${sessionTimeoutMinutes} min at ${(new Date(expiresAt).toISOString())}`);
      }
    }

Hi @terren

Welcome to the Auth0 Community!

I would advise to you review the following documentation and knowledge article regarding the matter:

• Sessions with Actions
• Why Users Remain Logged In After the Inactivity Timeout

If you have any other questions or still facing issues after reviewing them, feel free to leave a reply!

Kind Regards,
Nik