I need to implement a logic, where the app should track users activity within a session. In the docs, it is said that we can use inactivity timeout for user sessions, but I don’t understand it properly, because by default it is set 3 days. In my case, I need to check user session (don’t confuse it with a jwt expiration time, as it is handled by checkSession method) and for example, if the user is inactive within that period (let’s pretend it is 30 minutes), the app should logout him/her.
What would you advise to handle this situation ?
1 Like
Hi Norayr,
See this page: Sessions
You will want to set the inactivity timeout to 30 minutes, and the “require login after” timeout to something longer. Your JWT expiration should be much shorter than 30 minutes.
John
1 Like
Thanks for your response, John. I have already tried this option yesterday, but it didn’t log out. I am just curious about the implementation of it. Do I have these values(Inactivity timeout, Require to log in after) when user logs in or these are just values set in auth0 tenant configs? Do I have to do something manual to log out a user after the session expires? Also, how does auth0 detect the activity of the user? In our case users just interact with app (request/response) and with that we check user’s activity.
Inactivity timeout: Timeframe after which a user’s session will expire if they haven’t interacted with the Authorization Server.
What kind of interaction is it supposed to be? As I can guess, it is not about normal interactions in the application (retrieving smth. from server).
Also in our case, our JWT is much longer than 30 minutes. We rely on user active session and if the user is active within that session (30 minutes), we just extend the session .
2 Likes
If you get a moment can you reply to norayr’s latest question? I have the same questions (what do I need to do, beyond just changing the inactivity timeout value in the auth0 UI, to make the logout actually take place?)
1 Like
@steve.hobbs maybe has an answer to this?
1 Like