We are thinking to increase the Auth Cookie lifetime to 14 days instead of 1 as default. Is that something you would advise against security wise?
When a user comes back to our app, several API calls are triggered to refresh the data on the current page. If more than 24h have passed since then, the API requests all fail because the session cookie has expired. However, the session lifetime is configured to last 14 days.
The user then has to refresh the window. It gets silently redirected to Auth0 and back to our app without having to perform a login because he is still authenticated in Auth0, so the API calls start to work again.
We use Node
API is protected by
withApiAuthRequired and pages with
withPageAuthRequired which have different flows.
To fix this, could we simply set the cookie lifetime to 14 days, like the session’s life time using the
AUTH0_SESSION_ROLLING_DURATION environment variable as defined here.
Would you recommend another approach to solve this issue without having to force reload user’s browser when the API fails?
Thanks in advance!