We are experiencing some troubles setting up session lifetime.
From your documentation we already know this:
Session lifetime is controlled in the tenant settings, there are 2 settings:
- Inactivity timeout Timeframe (in minutes) after which a user’s session will expire if they haven’t interacted with the Authorization Server. Will be superseded by system limits if over 4,320 minutes (3 days) for Developer or Developer Pro or 144,000 minutes (100 days) for enterprise plans.
- Require to log in after Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. Will be superseded by system limits if over 43,200 minutes (30 days) for Developer or Developer Pro or 525,600 minutes (365 days) for enterprise plans.
From this page: Configure Session Lifetime Settings
We already set these values in our tenant, but it isn’t working. Users are not logged out after the session lifetime nor inactivity time.
We check/test if the user was still logged in by implementing the following methods: checkSession(), getTokenSilently(), isAuthenticated$ but unfortunately, the user is still logged in.
How can we shorten application session time? Would this be the same as the expiration for the API in Auth0?
Even though this is not working for us a new question came up.
Let’s suppose that :
- We use checkSession() method that should be called each 15 minutes (As auth0 documentation suggests).
- Then the user logs out
- But the user will remind logged in for 15 min because the checkSession hasn’t been check.
So imagine this case: A user who logs in from two different tabs.
Then the user logs out from the application that is open in tab A and the flow works as expected but then the user realizes that is still logged in on tab B.
This would definitely be seen as a bug on our end.
Thanks in advance!