Correlation of the appSession cookie expiration and the Auth0 Server Side session

Hello, I have a basic question, I guess is mostly around understanding and verifying certain aspects of our implementation.

I am using the express open id connect - GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications. in order to implement Auth, backed by Auth0 on a React/SPA setup.

My question relates to the nature of the cookie aka appSession that is dropped by the middle ware upon successful login and the Auth0Session.

On the openId connect library we use the defaults in terms of cookie expiration and policy as defined here. https://github.com/auth0/express-openid-connect/blob/master/V2_MIGRATION_GUIDE.md#session-lifecycle-configuration and the cookie works as expected.

What is not clear to us is how the different settings on the expiration of the client side cookie aka appSession cookie - reflect or not to the actual Auth0 Session.

For example.

We have set our cookie to with the following settings.

  • Absolute expiry policy 1 month. So once you login the appSession cookie is dropped to the browser and the expiration policy is 1 month.

At the same time on the Auth0 tenant - we have the following setting. Settings > Advanced > Persistent Session.

  • Inactivity timeout : 1m
  • Require after login : 30m

Its not really clear to me how this works with the underlying Auth0 Session.

Since our appSession cookie is set to expire in 1 month, we can see the as an end user practically I am logged in for 1 month and I am not required to login again.

But we have a feeling this is not the correct use of the cookie + session. We would like to make use of the Auth0 long lived session.

So my main question is how is the appSession cookie correlate with the Auth0 Session?
If I reset my cookie expiration policy to some defailts - e.g one day - how shall I take advantage of the Auth0 long live session? Is it a matter of just increasing the - Inactivity timeout to 1 month for example?

It seems that there is no correlation between the openId connect appSession cookie and the Auth0 Long session as validated by one of the maintainers.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.