I have a Single Page Application where I’m calling auth-js client’s .checkSession() method periodically at 20 minutes to make sure the user still has an active session at auth0. I want to log out the user if the user logged out from another application where he loggin in using the same auth0 tenant.
Is this call counted as activity for the user? In that case, can I consider that the session will never expire due to inactivity reasons? As I’m doing .checkSession() calls at each 20 minutes.
In that case, can I consider that the session will never expire due to inactivity reasons?
Yes, unless you log the user out elsewhere and clear the SSO cookie on Auth0 side. The latter should happen in this case:
if the user logged out from another application
since you most likely want to not only clear the application session but also the session on Auth0 end.
So, when a user logouts from another application that also calls the logout endpoint on Auth0 end, the silent authentication (checkSession) in your first application won’t succeed anymore (because the user has no active session at Auth0 anymore). Therefore you would achieve what you have in mind.
See:
Also related, the different layers of sessions related to Single-Sign-Out:
Please see below what I understood. Please correct me where I’m wrong.
So from what I understand, Inactivity timeout setting is important only for auth0, in order to know: To request the user to enter credentials again or not. Based on the validity of the auth0 session. Related to Seamless SSO. It has nothing to do with how long a user is considered logged in to the application. This has to be handled by the application.
Consider application A which calls checkSession() method periodically at 20 minutes. This is done to make sure it implements Single Logout.
The user tries to log in to application A for the first time.
User is requested to enter credentials.
User is redirected to application A’s page.
User closes the application A’s page.
Afer this, there could be 2 possible use cases:
Use case 1
User waits for a time less than Inactivity timeout.
User tries to log in again in application A.
User is not prompted to enter credentials again because the session with auth0 is still active.
The user is seamlessly redirected to appliation page.
Use case 2
User waits for a time more than Inactivity timeout.
User tries to log in again in application A.
User is prompted to enter credentials again because the session on auth0 has expired.
For me, this seems to be important only if we want to have Seamless SSO.