My question relates to the nature of the cookie aka appSession that is dropped by the middle ware upon successful login and the Auth0Session.
On the openId connect library we use the defaults in terms of cookie expiration and policy as defined here. https://github.com/auth0/express-openid-connect/blob/master/V2_MIGRATION_GUIDE.md#session-lifecycle-configuration and the cookie works as expected.
What is not clear to us is how the different settings on the expiration of the client side cookie aka appSession cookie - reflect or not to the actual Auth0 Session.
For example.
We have set our cookie to with the following settings.
Absolute expiry policy 1 month. So once you login the appSession cookie is dropped to the browser and the expiration policy is 1 month.
At the same time on the Auth0 tenant - we have the following setting. Settings > Advanced > Persistent Session.
Inactivity timeout : 1m
Require after login : 30m
Its not really clear to me how this works with the underlying Auth0 Session.
Since our appSession cookie is set to expire in 1 month, we can see the as an end user practically I am logged in for 1 month and I am not required to login again.
But we have a feeling this is not the correct use of the cookie + session. We would like to make use of the Auth0 long lived session.
So my main question is how is the appSession cookie correlate with the Auth0 Session?
If I reset my cookie expiration policy to some defailts - e.g one day - how shall I take advantage of the Auth0 long live session? Is it a matter of just increasing the - Inactivity timeout to 1 month for example?