Preferred approach for handling session expiration due to inactivity with django + react

I have looked all around for this and read through the docs but still cannot seem to find the exact answer I am looking for.

I have a web app using auth0 that requires inactivity timeout of 20 minutes. I am using @auth0/auth0-react to manage everything in the react application.

The problem I is I cannot figure out how to correctly manage the session expiration due to idleness. Everything I have read in the docs says that the session activity is updated when calling /authorize endpoint which auth0-reacts getAccessTokenSilently does when the token is expired or if its going to expire within a minute. My current auth0 settings are:

  • session idle expiration 20 minutes
  • max session expiration 24 hours
  • access token expiration 10 minutes

Consider this scenario.

  • User logins in at 11:01
  • User does some things in the app until 11:08 then stops and session has not been updated yet because token is valid
  • User does not do anything until 11:25 but at this point the session is expired (as of 11:21) and so is token

Now, considering the user stopped all activity at 11:08 the desire is for the session to expire at 11:28 due to inactivity. I assume this is a fairly common use case and admit I likely am overcomplicating this and just not doing it right.

My current approach which does not handle all scenarios is to track mouse clicks and key strokes and debounce them, do a check on when token was issued to say if the token was issued more than 2 minutes ago → when true call getAccessTokenSilently with 'cacheMode': 'off' to get a new token and update session activity.

Help is greatly appreciated it.

Hi @andrew.misiti

Welcome to the Auth0 Community!

I am sorry about the delayed response to your questions!

When setting the Idle Session Lifetime inside the tenant settings, the specified time should be the one after which an user accessing your application should have their session terminated and forced re-authentication. This is also mentioned in our documentation:

Idle Session Lifetime → Timeframe (in minutes) after which a user’s session will expire if they haven’t interacted with the Authorization Server. Will be superseded by system limits if over 4,320 minutes (3 days) for Essential or Professional or 144,000 minutes (100 days) for enterprise plans.

So as mentioned in this article as well, interaction with the authorization server specifically refers to requests to /authorize, meaning that you will have to include silent authentication to keep the user logged in, precisely how you already mentioned above. The scenario is also described here in our Session Lifetime Limits documentation.

If you need further clarification on the matter, let me know!
Kind regards,
Remus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.