Auth0 Home Blog Docs

Keep users logged in indefinitely; react

jwt
access-token

#1

Hello,

I’ve followed this tutorial: https://auth0.com/docs/quickstart/spa/react/05-token-renewal but have been unable to keep users logged in indefinitely. I’ve set the “Token Expiration” to 864000 (as I understand it, this is the maximum amount of time… please correct me if I’m wrong). I’m not sure how this relates to the ‘expires_at’ parameter that is set in local storage. Do I need to increase the number in this line: let expiresAt = JSON.stringify((authResult.expiresIn * 1000) + new Date().getTime());?

Any help is greatly appreciated! Thanks!


#2

When you say “keep users logged in”, what do you mean? Are you talking about your app or Auth0’s session?


#3

Hi. I mean in the app. Currently a user has to re-login to the app every day.


#4

Ok, but you control your app’s session, right? How are you expiring your user’s sessions?


#5

Hi Luis,

I’m using this: https://auth0.com/docs/quickstart/spa/react/05-token-renewal – so the code is essentially identical to: https://github.com/auth0-samples/auth0-react-samples/tree/master/05-Token-Renewal

And I just check isAuthenticated() to see if the user is logged in.


#6

Yeah, if you access the app after the token is expired, then you’ll have to authenticate again. You can also call renewToken yourself if you want to get a new token (if one is available from the server)


#7

How do I make the token not expire for a very long time? Do I increase the 1000 in let expiresAt = JSON.stringify((authResult.expiresIn * 1000) + new Date().getTime());? Or do I change the “Token Expiration” in the api?


#8

Change the token expiration in the API. The code you mentioned uses whatever expires_in is returned from auth0’s server. A super long access token is not recommended or secure, though. Ideally, you should call renewToken when your app loads and get a new token (if available) from the authorization server. This way, you can revoke tokens/users and they’ll lose access to your app on the next renewal.


#9

Thanks for your help Luis. I thought the code i mentioned does what you are saying – but it doesn’t seem to because users have to keep logging in every day. Is there something else I need to add?

And if not, what is the longest the token expiration can be set to?


#10

You can call renewToken when your app starts. This will renew the token if possible (unless the server session has expired).

I don’t what’s the maximum amount of time you can set :frowning:


#11

Hi Luis,

The code calls this.scheduleRenewal(); in the constructor, which does this scheduleRenewal() { const expiresAt = JSON.parse(localStorage.getItem('expires_at')); const delay = expiresAt - Date.now(); if (delay > 0) { this.tokenRenewalTimeout = setTimeout(() => { this.renewToken(); }, delay); } }

Am I missing anything? Here is a gist of my code: https://gist.github.com/j10sanders/d5a5d4ab0ea2f9807e5b700f4bef1a18

Thanks again,
Jon


#12

Yes, but the sample code won’t try to renew the token if it is already expired, which is probably what you’re facing. My suggestion is just call renewToken when the app starts and this should reduce the amount of times users get asked to login again.


#13

Thanks Luis.

So you suggest putting this.renewToken = this.renewToken.bind(this); into the Auth.js constructor, and then calling this.props.auth.renewToken(); right when a user visits the site?


#14

Yes. That should work.