Session Lifecycle
An Auth0 session lifecycle begins when a user logs in, remains active with user interaction, and ends when the session expires or is explicitly terminated.
Auth0 considers a session active when a user interacts with the Authorization server.
For example:
Calls to the /authorize endpoint
Issue silent authentication
Log in to a new application using single sign on
A session can be persistent or non-persistent; this allows you to configure how a session cookie behaves in a browser.
Persistent sessions store cookies with a future expiration timestamp.
Non-persistent sessions store cookies with
Expires=0. It tells the browser to delete the cookie when the browser is closed.
Session cookie persistence behavior depends on the browser implementation. Auth0 cannot guarantee that all browsers will delete non-persistent cookies as expected.
To learn more read Cookies.
Session lifetime
Persistent and non-persistent sessions can be configured with their own Idle and Absolute (Maximum) lifetimes to define a session expiration.
Idle timeout
Idle timeout defines the maximum duration of inactivity allowed. Each time a user interacts with Auth0 via Single Sign-On (SSO), silent authentication or /authorize, the idle timer resets. If no interaction with Auth0 happens during the configured period, the session expires.
Absolute timeout (Maximum)
Absolute timeout defines the maximum duration a session can remain valid regardless of user activity. Once absolute timeout is reached, the session expires and the user will need to reauthenticate.
Learn how to Configure Session Lifetime.
Session lifetime limits
Session lifetime has the following limits:
| Session type | Timeout type | Description | Maximum (Self-Service plans) | Maximum (Enterprise Plans) |
|---|---|---|---|---|
| Non-persistent | Inactivity timeout | Timeframe after which a session expires if there’s no interaction with the Authorization Server | 3 days | 100 days |
| Require Login after | Maximum session lifetime, regardless of activity | 30 days | 365 days | |
| Persistent | Inactivity timeout | Timeframe after which a session expires if there’s no interaction with the Authorization Server | 3 days | 100 days |
| Require Login after | Maximum session lifetime, regardless of activity | 30 days | 365 days |
Next Steps
To learn more about using Actions to configure the session lifecycle, read Sessions with Actions
To learn more about Auth0 Management API Session Management Endpoints, read Sessions with Management API