Auth0 - Session lifetime not logging out users

Hi,

We are experiencing some troubles setting up session lifetime.

:dart: From your documentation we already know this:
Session lifetime is controlled in the tenant settings, there are 2 settings:

  1. Inactivity timeout Timeframe (in minutes) after which a user’s session will expire if they haven’t interacted with the Authorization Server. Will be superseded by system limits if over 4,320 minutes (3 days) for Developer or Developer Pro or 144,000 minutes (100 days) for enterprise plans.
  2. Require to log in after Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. Will be superseded by system limits if over 43,200 minutes (30 days) for Developer or Developer Pro or 525,600 minutes (365 days) for enterprise plans.

:memo: From this page: Configure Session Lifetime Settings

We already set these values in our tenant, but it isn’t working. Users are not logged out after the session lifetime nor inactivity time.

We check/test if the user was still logged in by implementing the following methods: checkSession(), getTokenSilently(), isAuthenticated$ but unfortunately, the user is still logged in.

How can we shorten application session time? Would this be the same as the expiration for the API in Auth0?

Even though this is not working for us a new question came up.
Let’s suppose that :

  1. We use checkSession() method that should be called each 15 minutes (As auth0 documentation suggests).
  2. Then the user logs out
  3. But the user will remind logged in for 15 min because the checkSession hasn’t been check.
    :warning: So imagine this case: A user who logs in from two different tabs.
    Then the user logs out from the application that is open in tab A and the flow works as expected but then the user realizes that is still logged in on tab B.

This would definitely be seen as a bug on our end.

Thanks in advance!

Hi @cviquez,

Welcome to the Community!

It looks like there is also a support ticket which has been opened for this topic. Please let us know if you have additional questions! I’ll sumarrize the response in the ticket here for others.

As described in this article on sessions, the Auth0 session and application session are two different session layers. The Auth0 session is managed in the tenant settings you’ve referenced, but the application layer is managed within the application. Tokens within the application are stored in memory by default for security reasons. However, because of the nature of memory storage, logging out in one tab won’t affect the other tab. You can read about using local storage instead of memory (and related security concerns) here: Auth0 Single Page App SDK

Related topic: Synchronizing session across browser tabs

Hi Stephanie,

Thanks for your reply. You clarified my doubts

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.