Auth0 Session Timeout Not Working for Next.js SPA

Problem statement

Auth0 session timeout does not work for Next.js SPA.

In the Tenant SettingsAdvancedSession Management, the following was configured:

  1. enabled “Persistent Session”
  2. “inactivity timeout”: 1 minute
  3. “required login after”: 1 minute

However, after logging into the application and waiting for over 1 minute, the user is not logged out if refreshing the URL.

Cause

Next.js sdk maintains its own session. You can find more details in the following article:

Solution

Set the AUTH0_SESSION_ROLLING_DURATION in next.js SDK to the same timeout value as in the Auth0 Tenant Setting.