Session lifetime limits determine how long the system should retain a login session. In Auth0, two settings can be configured for session lifetime:
Inactivity timeout: Timeframe after which a user's session will expire if they haven’t interacted with the Authorization Server. Will be superseded by system limits if over 3 days for self-service plans or 100 days for enterprise plans.
Require log in after: Timeframe after which a user will be required to log in again, regardless of their activity. Will be superseded by system limits if over 30 days for self-service plans or 365 days for enterprise plans.
Application-specific logout URLs
There are two important things to consider when you use application-specific logout URLs:
You must send
client_idas a query parameter when calling the
/v2/logoutendpoint and the
returnToURL must be in the application’s list of allowed logout URLs.
This will end the Auth0 Session for the entire tenant - i.e. for all defined applications, not just the one that matches the
client_idsupplied. Passing the
logoutendpoint where to look for the logout URL white-list.
After the user logout occurs Auth0 will only redirect to a URL that is defined in this list.
In the case a user has not taken any actions that would cause the Auth0 session to be updated it is recommended that warning be raised to the user to choose to explicitly continue their session.
The intent of this approach allows the session to go inactive if the user is no longer present, but otherwise provides a means to trigger the silent token refresh so that the can continue their session without the need to be prompted again for credentials.
Inactivity Timer: A rolling timer should be added to the React SDK wrapper that aligns with the maximum idle lifetime of the Auth0 session. Each time a token is returned to the application the timer should be reset.
Timeout Modal: When the timer hits 60 seconds from expiration a timeout modal should render requesting the user to logout or continue their session.
Continue the session: In the case the user chooses to continue their session the getTokenSilently() method can be used to request a new token without needing to redirect the user from the page they are currently interacting with.
Logging out: In the case the user chooses to logout the logout() method should be called to assure the Auth0 session is ended as well.
Idle Timeout: In the case that the idle timeout is reached no immediate action is necessary. To handle the fact that the user may still be active in another tab, the behavior should not be to log the user out.
Other options might include updating the modal with a login button, using the window.onfocus event to trigger
getTokenSilently(), or redirecting the user to landing page.
Examples: Session lifetime limits
Auth0 maintains a login session for any user who authenticates via an application. When a user performs a new standard login, it resets the login session. Let's look at an example.
- You set the Inactivity timeout limit to 3 days and the Require log in after limit to 30 days.
- A user logs in and your entered values are set for their session.
- If the user is active within the three-day Inactivity timeout timeframe, the session lifetime is extended for another three days. As long as the user is active within the next three days, their session lifetime will be extended for another three days, until the Require log in after limit is reached. At this point, the user will be required to log in again.
- If the user is inactive for three days, they will automatically be logged out.
- While the user is logged in, you extend the existing session lifetime limits. The new settings will not take effect until the existing session ends, and the user logs in again.
- While the user is logged in, you reduce the existing lifetime limits. The new settings will take effect immediately upon the user's next activity. This allows you to shorten session lifetimes for security purposes.