Quick question:
We are thinking to increase the Auth Cookie lifetime to 14 days instead of 1 as default. Is that something you would advise against security wise?
Why do we need to do this?
When a user comes back to our app, several API calls are triggered to refresh the data on the current page. If more than 24h have passed since then, the API requests all fail because the session cookie has expired. However, the session lifetime is configured to last 14 days.
The user then has to refresh the window. It gets silently redirected to Auth0 and back to our app without having to perform a login because he is still authenticated in Auth0, so the API calls start to work again.
We use Node @auth0/nextjs-auth0
library.
API is protected by withApiAuthRequired
and pages with withPageAuthRequired
which have different flows.
To fix this, could we simply set the cookie lifetime to 14 days, like the session’s life time using the AUTH0_SESSION_ROLLING_DURATION
environment variable as defined here.
Would you recommend another approach to solve this issue without having to force reload user’s browser when the API fails?
Thanks in advance!