Change the default session duration to 1 day

[adamjmcgrath]

Description

Our security review suggested that 7 days for the app session cookie to expire is perhaps a little long for a default.

I had a look around, well just at auth0-spa-js, and noticed that uses 1 day.

Since the auth server handles the underlying session, it shouldn't noticeably effect user experience.

References

https://auth0team.atlassian.net/wiki/spaces/SDL/pages/588286390/express-openid-connect+SDK#Security-Misconfiguration

Testing

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not master

[lbalmaceda]

Yes! 🎉

[YousefED]

@adamjmcgrath can you explain Since the auth server handles the underlying session, it shouldn't noticeably effect user experience.? Won't the value of 1 day mean all users have to re-login after 1 day?

[adamjmcgrath]

@YousefED If the user is already logged in with their identity provider, the authorize call will just redirect them back to the application with the credentials, without requiring them to login.

[YousefED]

@YousefED If the user is already logged in with their identity provider, the authorize call will just redirect them back to the application with the credentials, without requiring them to login.

Thanks @adamjmcgrath. Makes sense. Does that also count for auth0 Database username / password provider? Which setting in Auth0 handles the session time on that side?

[adamjmcgrath]

Hey @YousefED

Does that also count for auth0 Database username / password provider?

Yes, it should do

Which setting in Auth0 handles the session time on that side?

In your tenant settings under "Advanced" - there's a section called "Log In Session Management"