I am using Auth0 to manage authentication in a NextJS application, and I am having issues with the session expiration. I would like the session to expire and the user to be logged out after 15 minutes of inactivity, or whenever they close their browser, but no matter what settings I change within Auth0, I haven’t been able to achieve this behavior. Within the Auth0 tenant settings, I’ve changed the session policy to “Non-persistent” and I’ve set the idle session lifetime to 15 minutes. I’ve also set the maximum session lifetime to 1 hour, but this doesn’t seem to be having an effect either. Is there another setting that I could be missing?
Thanks!
Hi @tyler.heathcote,
Welcome to the Auth0 Community!
Can you try changing the Maximum Session Lifetime setting to 15 minutes and observe the result?
Setting the session policy to “Non-persistent” will ensure the session ends when the browser closes. Are you using refresh token rotation?
Session documentation that may prove useful:
Thanks,
Mary Beth
Hi Mary Beth,
Thanks for the response. I have set the session policy to “Non-persistent”, the idle session lifetime to 15 minutes, and the maximum session lifetime to 15 minutes. Still, I logged into my application yesterday, completely closed out of my browser, and when returning to my website today, the session persisted and I was still logged in.
I am not using refresh token rotation, and I have attached a screenshot of my current settings for id token expiration and refresh token expiration. Please let me know if you can provide any further assistance, thank you!
Hi @marybeth.hunter - can you please provide any further guidance?
Thank you,
Tyler
Hi @tyler.heathcote,
Thank you for your replies, and I apologize for the delay. I’ve been out of the office.
Could you kindly take a look at this article: Why Users Remain Logged In After the Inactivity Timeout
Specifically regarding the examples with the browser. I believe the settings are all configured correctly, but the session is not being cleared.
I look forward to your reply!
Thanks,
Mary Beth
Hi @marybeth.hunter ,
Thanks for the response. I have reviewed the article that you linked, and I think you may be correct about the clearing of the session, but I am unsure how to configure this in my application.
I am using the Auth0 NextJS SDK, as directed in the quickstart guide. I’ve also tried adjusting the configuration within my application as shown below:
const auth0Config = {
domain: process.env.AUTH0_DOMAIN,
clientId: process.env.AUTH0_CLIENT_ID,
clientSecret: process.env.AUTH0_CLIENT_SECRET,
baseURL: process.env.AUTH0_BASE_URL,
session: {
rolling: true,
rollingDuration: 60,
absoluteDuration: 120
}
};
const edgeAuth0 = initAuth0(auth0Config);
but when inspecting the appSession cookie in the browser, the cookie shows an expiration of 24 hours later, not 60 seconds as I would expect.
Thanks again for your help and look forward to your response!
Hi @tyler.heathcote,
I have been doing some digging into this and have found a few things that may be helpful!
Referencing this Community article, there are session environmental variables you can set with Next.js. If you’d like to control the session expiry, set the AUTH0_SESSION_ROLLING_DURATION and AUTH0_SESSION_ABSOLUTE_DURATION environment variables: ConfigParameters | @auth0/nextjs-auth0
They should be specified in seconds. The rolling session expiry is how long the session is set to. When the user keeps active on the app, this session is extended until the absolute duration is exceeded.
This issue would also be worth bringing up in tomorrow’s Next.js AMA!
Best,
Mary Beth
