NextJs Cookie lifetime - Security concerns?

Quick question:

We are thinking to increase the Auth Cookie lifetime to 14 days instead of 1 as default. Is that something you would advise against security wise?

Why do we need to do this?

When a user comes back to our app, several API calls are triggered to refresh the data on the current page. If more than 24h have passed since then, the API requests all fail because the session cookie has expired. However, the session lifetime is configured to last 14 days.
The user then has to refresh the window. It gets silently redirected to Auth0 and back to our app without having to perform a login because he is still authenticated in Auth0, so the API calls start to work again.

We use Node @auth0/nextjs-auth0 library.
API is protected by withApiAuthRequired and pages with withPageAuthRequired which have different flows.
To fix this, could we simply set the cookie lifetime to 14 days, like the session’s life time using the AUTH0_SESSION_ROLLING_DURATION environment variable as defined here.

Would you recommend another approach to solve this issue without having to force reload user’s browser when the API fails?

Thanks in advance!

Hi @theo.camboulive,

Welcome to the Auth0 Community!

I understand that you have a security question about modifying the Auth0 Cookie Lifetime from 1 day to 14 days.

After reviewing your use case, I see nothing wrong with changing the cookie lifetime to 14 days. I would, however, recommend choosing the shortest acceptable session lifetime since that will always be safer than a longer-lived token.

I hope this helps!

Please let me know if you have any further questions and concerns.

Thank you.

1 Like

Thanks for the super fast and helpful response! :pray:

1 Like