-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about appSession lifetime and the underlying Auth0 Session #393
Comments
Hi @javapapo - thanks for raising this
Short answer, it's not. This SDK doesn't establish a session that correlates to any specific Identity Provider's session. It set's a session based on the session configuration you give it.
If you want a short lived session on your application but to leverage a longer session set in your Identity Provider you could attempt silent login when your application session expires, this will effectively log the user back in without prompting them (provided you still have a session on the IdP): app.get('/silent-login`, (req, res) => res.oidc.silentLogin()) |
No problem @javapapo
Have a look at https://auth0.com/docs/manage-users/sessions/session-layers The Application Session Layer is the one managed by this SDK with the The Auth0 Session Layer is managed by Auth0 with the |
Great! @adamjmcgrath I can not say enough thanks for clarifying that. |
Describe the problem you'd like to have solved
Slightly better documentation on the correlation of the
appSession
client side cookie and the Auth0 Session (server side) life cycle.Describe the ideal solution
Improvement on documentation or some extra clarification
Additional information, if any
My request starts from this basic question. See also here: https://community.auth0.com/t/correlation-of-the-appsession-cookie-expiration-and-the-auth0-server-side-session/91738?u=parisapostolopoulos
Hello, I have a basic question, I guess is mostly around understanding and verifying certain aspects of our implementation.
I am using the express open id connect - GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications. in order to implement Auth, backed by Auth0 on a React/SPA setup.
My question relates to the nature of the cookie aka appSession that is dropped by the middle ware upon successful login and the Auth0Session.
On the openId connect library we use the defaults in terms of cookie expiration and policy as defined here. https://github.com/auth0/express-openid-connect/blob/master/V2_MIGRATION_GUIDE.md#session-lifecycle-configuration and the cookie works as expected.
What is not clear to us is how the different settings on the expiration of the client side cookie aka appSession cookie - reflect or not to the actual Auth0 Session. On the Auth0 tenant we have the
Persistent session option selected
Example:
We have set our cookie to with the following settings. Absolute expiry policy 1 month.
So once you login the appSession cookie is dropped to the browser and the expiration policy is 1 month.
At the same time on the Auth0 tenant - we have the following setting. (Settings > Advanced> Persistent Session)
Its not really clear to me how this works with the underlying Auth0 Session.
Since our appSession cookie is set to expire in 1 month, we can see the as an end user practically I am logged in for 1 month and I am not required to login again. But we have a feeling this is not the correct use of the cookie + session. We would like to make use of the Auth0 long lived session.
So my main question is how is the appSession cookie correlate with the Auth0 Session?
If I reset my cookie expiration policy to some defailts - e.g one day - how shall I take advantage of the Auth0 long live session? Is it a matter of just increasing the - Inactivity timeout to 1 month for example?
Thanks for any tips
The text was updated successfully, but these errors were encountered: