Auth0 Home Blog Docs

How to use sessions properly?

I need to implement a logic, where the app should track users activity within a session. In the docs, it is said that we can use inactivity timeout for user sessions, but I don’t understand it properly, because by default it is set 3 days. In my case, I need to check user session (don’t confuse it with a jwt expiration time, as it is handled by checkSession method) and for example, if the user is inactive within that period (let’s pretend it is 30 minutes), the app should logout him/her.

  • One option is to keep timestamp when a user is logged in and use that timestamp as a session

  • Second one is to use inactivity timeout mentioned above.

What would you advise to handle this situation ?

Hi Norayr,

See this page: https://auth0.com/docs/sessions/concepts/session-lifetime
You will want to set the inactivity timeout to 30 minutes, and the “require login after” timeout to something longer. Your JWT expiration should be much shorter than 30 minutes.

John

Thanks for your response, John. I have already tried this option yesterday, but it didn’t log out. I am just curious about the implementation of it. Do I have these values(Inactivity timeout, Require to log in after) when user logs in or these are just values set in auth0 tenant configs? Do I have to do something manual to log out a user after the session expires? Also, how does auth0 detect the activity of the user? In our case users just interact with app (request/response) and with that we check user’s activity.

Inactivity timeout: Timeframe after which a user’s session will expire if they haven’t interacted with the Authorization Server.
What kind of interaction is it supposed to be? As I can guess, it is not about normal interactions in the application (retrieving smth. from server).

Also in our case, our JWT is much longer than 30 minutes. We rely on user active session and if the user is active within that session (30 minutes), we just extend the session .