Problem statement
Auth0 session timeout does not work for Next.js SPA.
In the Tenant Settings > Advanced > Session Management , the following was configured:
- Enabled “Persistent Session”;
- “inactivity timeout”: 1 minute;
- “required login after”: 1 minute.
However, after logging into the application and waiting for over 1 minute, the user is not logged out if the URL is refreshed.
Cause
Next.js sdk maintains its own session. Details are in the article Sync session with Auth0 when using Next.js.
Solution
Set the AUTH0_SESSION_ROLLING_DURATION in the Next.js SDK to the same timeout value as in the Auth0 Tenant Setting.