Next.js + Auth0 implementation with Session Management

Setup

Hi there, I am currently developing a web application for our team’s project that is currently using Auth0 as the authentication system. Our technology stack includes: Next.js, React + TypeScript, and using Node.js’ Fastify as the backend API server.

We followed the quickstart guide that integrates Next.js (on Auth0’s Quickstart) and applied simple user credentials as the authentication layer for the first draft.

Questions

Is there a definitive guide to implementing Auth0 into Next.js 15.2.4 that will help us greatly develop this essential feature for the project?

Moreover, regarding user’s token and session/activity, I have the session settings:

  • Maximum ID Token Lifetime: 1 hours (3600 seconds)
  • Idle Refresh Token Lifetime and Maximum Refresh Token Lifetime are disabled.
  • For Session Expiration (in Tenants’ Settings → Advanced
    • Session Policy is Non-persisten
    • Idle Session Lifetime: 5 minutes
    • Maximum Session Lifetime: 15 minutes

Do I need to implement any layer on the frontend (client-side) that will enact the session timeout accurately? Session lifetime is 10 minutes, but I do not see my session automatically expire and log me out. (FYI, I also implemented a simple layer on the middleware to check user Session with auth0.getSession()). There were some discussions on here that told us to implement environment variables (like these:
AUTH0_SESSION_ROLLING_DURATION = 60

AUTH0_SESSION_ABSOLUTE_DURATION = 60

AUTH0_SESSION_ROLLING = false
), but seems like that did not work as well.

I would appreciate for any help and be able to provide further context if needed.

Hi @hwng

Welcome to the Auth0 Community!

Regarding the guide for the Next.js 15.2.4, I would recommend checking our quickstart → https://auth0.com/docs/quickstart/webapp/nextjs/01-login

Right now, your tenant is set to a Non-persistent session, with Idle = 5 min and Max = 15 min. Those values affect the Auth0 session layer only. Your app is likely still relying on the Next.js SDK session cookie, which you haven’t aligned to the same timings, so the UI won’t auto-expire when you expect. Also, when that app cookie does expire, the middleware redirects to Auth0, if the Auth0 session is still alive, Auth0 immediately redirects back, and a new app session is created.

Thanks
Dawid