Use Cases: Configure Keep Me Signed In using Sessions
Before you start
Ensure you have:
A Custom Domain configured Auth0 tenant configured for your application
Auth0 CLI installed and authenticated.
An Auth0 tenant session using the non-persistent sessions policy
(Optional) Configure Session's Idle and absolute session timeout values
The Keep Me Signed In experience provides users the option to stay logged-in on a trusted device.
If the Keep Me Signed In checkbox is selected, it sets a persistent session which survives browser restarts.
If the Keep Me Signed In checkbox is not selected, it sets a non-persistent session which expires when the browser closes.
Using non-persistent (ephemeral) sessions with Actions, the server securely handles this logic without exposing refresh tokens to the frontend.
Using Custom Prompts, Auth0 CLI, and ephemeral sessions via Actions, you can implement a secure and modern "Keep Me Signed In" flow with no refresh tokens, no client-side session hacks, and full backend control.
This solution is ideal for customers prioritizing:
Zero-trust browser session handling
Minimal session persistence
Trusted device overrides
Configure a Universal Login page and Add a custom prompt
To gather the user’s Keep Me Signed In preference, you need to customize Universal Login by configuring a page template and adding a custom prompt using Auth0 CLI.
Optional: Enable the Universal Login page template
This step is only required if your tenant does not have a Universal Login template configured.
Use the following command to create or update the page template:
auth0 universal-login templates updateWas this helpful?
The customization editor opens the login page template. You can use any HTML structure that fits your brand.
Here is a minimal example template with a background and wrapped widget:
<!DOCTYPE html>
<html lang="{{locale}}">
<head>
{%- auth0:head -%}
<style>
body {
background-image: url("https://images.unsplash.com/photo-1643916861364-02e63ce3e52f");
background-size: cover;
background-position: center;
}
.prompt-wrapper {
display: flex;
align-items: center;
justify-content: center;
height: 100%;
background-color: rgba(0, 0, 0, 0.3);
}
</style>
<title>{{ prompt.screen.texts.pageTitle }}</title>
</head>
<body class="_widget-auto-layout">
{% if prompt.name == "login" or prompt.name == "signup" %}
<div class="prompt-wrapper">
{%- auth0:widget -%}
</div>
{% else %}
{%- auth0:widget -%}
{% endif %}
</body>
</html>Was this helpful?
Save and close the editor, the Auth0 CLI prompts you to confirm:
Do you want to save the template? Yes
▸ Successfully updated the template for the New Universal Login Experience!Was this helpful?
Add a Keep Me Signed In checkbox using Auth0 CLI
To add a checkbox into the Universal Login screen, follow these steps:
Launch the customization editor
Open the customization editor for the login-id or login prompt depending on your tenant configuration:
auth0 universal-login customize -p login-idWas this helpful?
Select Standard for rendering mode.
Rendering Mode: standardWas this helpful?
The customization editor launches at a local address:
http://localhost:52649Was this helpful?
If you are unsure whether your tenant uses login or login-id, refer to Auth0’s prompt customization.
Configure the checkbox
Open the Partials option in the customization editor:
Set Prompt to:
login-id(or login)Set Screen to:
login-id(or login)Set Partial to: form-footer-end
Add the following HTML snippet:
<div class="ulp-field">
<input type="checkbox" name="ulp-remember-me" id="remember-me">
<label for="remember-me">Stay signed in on this device?</label>
</div>Was this helpful?
This renders the checkbox underneath the login form.
Deploy your changes
Select Deploy Changes in the top-right corner to save and apply the customization.
Checkpoint
The login screen includes a Keep Me Signed In checkbox.
If you use the example template, the login screen appears with proper alignment and styling.
Create a Post-Login Action using Auth0 CLI
Create a new file called set-session-persistence.js for use with Auth0 CLI and add the following code:
exports.onExecutePostLogin = async (event, api) => {
// Apply the change only when the parameter is available
if (event.request.body['ulp-remember-me']) {
api.session.setCookieMode('persistent');
}
};Was this helpful?
Use Auth0 CLI to create or update your post-login Action using the set-session-persistence.js file:
auth0 actions create --name kmsi --trigger post-login --code "$(cat set-session-persistence.js)"Was this helpful?
Auth0 CLI returns the Action Id:
ID f54c4aae-431f-4290-a7e0-cfc6a3f28386
NAME kmsi
TYPE post-login
STATUS pending
DEPLOYED ✗
LAST DEPLOYED
LAST UPDATED 0 seconds ago
CREATED 0 seconds ago
CODE exports.onExecutePostLogin = async (event, api) => {
if (event.request.body['ulp-remember-me']) {
api.session.setCookieMode("persistent");
} else {
api.session.setCookieMode("non-persistent");
}
};Was this helpful?
Deploy your Action using its id:
auth0 actions deploy <id>Was this helpful?
Navigate to the Auth0 Dashboard > Actions > Triggers > Post-Login to add the new action to the current flow and select Apply.
Optional - Set Session duration for trusted devices
You can use api.session.setExpiresAt() or api.session.setIdleExpiresAt()methods to further customize session lifetimes.
exports.onExecutePostLogin = async (event, api) => {
if (event.request.body['ulp-remember-me']) {
api.session.setCookieMode("persistent");
const now = Date.now();
api.session.setExpiresAt(now + 7 * 24 * 60 * 60 * 1000); // 7 days
} else {
api.session.setCookieMode("nonpersistent");
}
};Was this helpful?
Test implementation
To verify the session behavior, you can:
Log in using Universal Login, and select the Keep Me Singed In checkbox.
In the tenant logs, search for (event types
sorssa)cookie: { mode: "non-persistent" }cookie: { mode: "persistent" }
Search for
event.session.cookie.modein your Actions