Next.js SDK v4 — how to correctly extend/roll app session expiry (idle 30m, absolute 8h)

Get Help
,
1

Hi,

Right now my session is expiring right after inactivityDuration: 30 * 60 (30 minutes). I want the session to automatically extend on user activity (e.g., API calls, page navigation) but still enforce an absolute max duration of 8 hours.

This is my current src/lib/auth0.ts config:

session: { 
  rolling: true, // extend session when server is hit
  inactivityDuration: 30 * 60, // 30 minutes idle timeout
  absoluteDuration: 8 * 60 * 60, // 8 hours hard cap
},

  • Is this the correct way to keep sessions alive based on user activity?

  • Do I need to configure anything else (middleware, API routes) to make sure “activity” extends the session correctly?

  • What’s the best practice to handle this in a large-scale production app?

2

Hello!

Yes, your configuration is correct. The rolling: true setting in your auth0.ts file automatically extends a user’s session by the inactivityDuration (30 minutes) with every request, while the absoluteDuration (8 hours) acts as a hard cap. No extra middleware is needed for this to work. For a large-scale app, best practice also includes using secure server-side sessions and implementing a refresh token rotation strategy to handle the absolute duration expiration smoothly and securely without requiring users to log in again.