Invalidating tokens used for refresh with checkSession

I am using JWT tokens to manage sessions, and I can refresh those sessions by calling checkSession – that’s all fine. What I find weird is that there is no way to invalidate the token used for checkSession meaning that if someone is served a JWT token say… 6 months ago (and I’ve set the expiry of it to say… 5 minutes) they can checkSession and get a fresh one today; that’s not secure at all.

Using refreshToken is not an option here; and I can see no way to control parameters surrounding checkSession on auth0’s side – give it a valid JWT no matter how expired and it will spit out a new one.

Why can I not set how often the token can be refreshed, or the time limit before checkSession will say “no, you must log in again and get a fresh token” instead of “ah yes you have an expired, or soon to expire token, here’s a new fresh one.”

I must be missing something as this is wildly insecure, how do I implement this using auth0’s API and not universal login or anything like that.

Hi @tsujp,

Have you taken a look at the session lifetime settings?

Let me know if this is not what you are looking for and I can investigate further.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.