Auth0 Home Blog Docs

Universal Login keep user logged in

login
#1

We are using Universal Login and have the following scenario + a couple of questions:

We would like to implement a functionality where the user stays logged in as long as he/she is active.

It seems that after navigating to our custom domain a cookie auth0 is set with max age of 3 days. We had a look at how to configure this cookie, but it seems it is nonconfigurable (not sure if I’m conflating the maximum inactivity timeout with the cookie max age) - How to change the access_token expiry?.

To implement the functionality mentioned above it seems that we need to renew this cookie and the cookie from our own application. With the embedded login it’s a bit clearer (and easier) how to do it since there’s only one cookie and we are the ones that control it. However with Universal Login we have no control over the second cookie so even if our app cookie gets refreshed the auth0 cookie will not, leading to inconsistencies - i.e. the user will still be logged in our app, but if he/she navigates to our login page he will be prompted for credentials.

Also we want to change that setting to 10 days instead of 3 days. Is this possible? Where should we look at and is there a proper, built-in way to control this? If not what is the value of the auth0 cookie and is it safe to set it? Are there any workarounds available?

#2

The maximum allowed inactivity timeout (for shared tenant environments at least) is 3 days. If you set the timeout to its 3 day max (in tenant advanced settings) the user’s SSO session will time out after 3 days of inactivity.

The timeout for individual tokens is set in each application’s settings. I believe the usual practice is to make these as short as possible (we set ours to 5 minutes) in order to minimize exposure if an account is compromised, blocked, or deleted.

2 Likes
closed #3

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.