I am using Auth0 to manage authentication in a NextJS application, and I am having issues with the session expiration. I would like the session to expire and the user to be logged out after 15 minutes of inactivity, or whenever they close their browser, but no matter what settings I change within Auth0, I haven’t been able to achieve this behavior. Within the Auth0 tenant settings, I’ve changed the session policy to “Non-persistent” and I’ve set the idle session lifetime to 15 minutes. I’ve also set the maximum session lifetime to 1 hour, but this doesn’t seem to be having an effect either. Is there another setting that I could be missing?
Thanks!
Hi @tyler.heathcote,
Welcome to the Auth0 Community!
Can you try changing the Maximum Session Lifetime setting to 15 minutes and observe the result?
Setting the session policy to “Non-persistent” will ensure the session ends when the browser closes. Are you using refresh token rotation?
Session documentation that may prove useful:
Thanks,
Mary Beth
Hi Mary Beth,
Thanks for the response. I have set the session policy to “Non-persistent”, the idle session lifetime to 15 minutes, and the maximum session lifetime to 15 minutes. Still, I logged into my application yesterday, completely closed out of my browser, and when returning to my website today, the session persisted and I was still logged in.
I am not using refresh token rotation, and I have attached a screenshot of my current settings for id token expiration and refresh token expiration. Please let me know if you can provide any further assistance, thank you!
