Aim - expire user’s session when its idle / inactive for 5 mins (this is an arbitrary time for testing only, we would change it to an appropriate time later).
I understand that you have issues getting the session lifetime expiration to work.
In this situation, I recommend going through our FAQ on Why Users Remain Login After the Inactivity Timeout.
If you have any additional questions after reviewing the FAQ please feel free to reach out.
we store access and refresh token issued by auth0 in our cookies. Access token expires in 15 minutes and refresh token i think by default is issued for a year.
when we say to synchronise app and auth0’s session does it mean to keep access, refresh token expiry as 5 mins (for e.g) if same is the time set for “idle activity” and “Log in require after” under local session management of tenant ?
“when we say to synchronise app and auth0’s session does it mean to keep access, refresh token expiry as 5 mins (for e.g) if same is the time set for “idle activity” and “Log in require after” under local session management of tenant ?”
The answer would be: “almost”
The Auth0 Session Management settings determines the session duration on the Auth0 level and you can set up your app code base to make use of it. It is not being done by default. By default, implementing authentication middleware into your app results in calling for the Auth0 session cookie that is being managed by the /callback route. Next the session cookie telling the user is logged in goes to the user browser. To change this behaviour, there is an need, on the app level, to control user’s local application session.
“we store access and refresh token issued by auth0 in our cookies. Access token expires in 15 minutes and refresh token i think by default is issued for a year.”
I can recommend checking this article, especially the section of session layers and how to manage the user’s local application session:
How do I control the duration of the user’s local application session?
Can I drive that from Auth0?
The web app has full control over the user’s local application session. How this is done usually depends on the web stack being used (for example, ASP.NET). Regardless, all approaches ultimately use one or more cookies to control the session. The developer can choose to use the expiration of the JWT ID Token returned by Auth0 to control their session duration or ignore it completely. Some developers store the ID Token itself in session state and end the user’s session when it has expired.
The reason why you would use the expiration of the token to determine the expiration of the local session is because it gives you centralized control of the duration of a user session from the Auth0 Dashboard.
If something remain unclear, pleas let me know and have a good day!
