What are the best practices for session management?

Hey,

We built a SPA that communicates with a micro-services API. I tried configuring the session to timeout every 30 minutes, so the user has to re-login every 30 minutes

I updated

  • Tenant Settings - Login Session Management
  • SPA - ID Token Expiration
  • API - Access Token Lifetime

It works.

I’m not sure if I have to configure all of the above, or if I can ignore some of them, or if in fact I missed some others.

Also, I noticed that the default expiration settings for sessions and tokens are quite long, I’m not sure what the best practice is, the longer the better?

please advise, thanks.

Hi @gavin.liu

Welcome to the Auth0 Community!

I’ve checked our documentation regarding session management. If your main goal is to force the user to log in after the 30 minutes mark, Require Log in after in the Log in session Management setting will do the work. But having other pieces of flow that cover the same requirement reduces the chance of failure due to untested changes, etc.

Require log in after Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. Will be superseded by system limits if over 43,200 minutes (30 days) for Essential or Professional or 525,600 minutes (365 days) for enterprise plans.

Thanks
Dawid

Thanks Dawid

I am not sure about this.
I configured the Session Lifetime and it only works when I refresh the page. However, even if it times out, I can still get the access token to trigger the microservices , it works until I set the access token lifetime to be the same as the session lifetime

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.