Overview
In a situation where Auth0 is an intermediary provider or when the end user is not supposed to be automatically logged into Auth0 only in specific scenarios, there may be reasons to avoid having a Session created for the Auth0 Authentication.
Applies To
- Session
- Actions
- Login Flow
Solution
Follow the steps below to limit the lifetime of the Session created from an Authentication.
- From the Dashboard, navigate to Settings > Advanced > Session Expiration
- Set both the Idle and Maximum Session Lifetime to a minimum of 1 minute.
- This will make sure that the end user will be forced to Authenticate once again if they hit the login page after that 1 minute.
NOTE: In this situation, the Post-Login Action Redirections will also have only 1 minute to resume Authentication, or else the Redirection State will be invalidated.
If no session must be created and the Post-Login Action Redirections must last longer, leave the Idle and Maximum Session Lifetime longer in the Dashboard but set them from within the Post-Login Action towards the end of the Trigger for each individual Session depending on what is desired. There is also no minimum limit, so the session can instantly be invalidated for the Authentication flow.
The following code snippet shows how to set the Session Lifetime from within the action so there is no valid session after Authentication:
api.session.setExpiresAt(-1);
api.session.setIdleExpiresAt(-1);