Session expiry behaviour
Next.js
Hi,
I'm observing some behavior with session expiry that I'm not entirely sure is correct, and I'd appreciate some clarification on how these settings are intended to work together.
My current test setup:
* SSO session inactivity timeout: 24 hours (Persistent)
* Access token expiry: 24 hours
* Refresh token expiry: 15 days
What I'm seeing: I close my browser, return after a week of inactivity, and I'm still logged in. However, when I query active sessions via the Management API, it returns an empty list. If I explicitly sign out and sign back in, the new session appears again as expected.
My assumption was that session expiry controls how long a refresh token can remain unused. In other words, if session expiry is set to 24 hours, the user would need to use their refresh token at least once within that window to keep the session alive. If there's no activity for more than 24 hours, the session would be invalidated regardless of the refresh token's 15 day validity period.
However, based on what I'm observing, it appears the refresh token can still be used after a week of inactivity, which raises the question of what the session expiry setting actually controls.
I'd appreciate clarification on the following:
1. What does session expiry actually control in practice?
2. If I need to match refresh token expiry to session expiry for this to work as I described, what is the distinction between SSO session expiry settings and token configuration? They would essentially serve the same purpose at that point.
3. Why would the active sessions endpoint return empty when the user is clearly still authenticated?
Thank you for your help.
I'm observing some behavior with session expiry that I'm not entirely sure is correct, and I'd appreciate some clarification on how these settings are intended to work together.
My current test setup:
* SSO session inactivity timeout: 24 hours (Persistent)
* Access token expiry: 24 hours
* Refresh token expiry: 15 days
What I'm seeing: I close my browser, return after a week of inactivity, and I'm still logged in. However, when I query active sessions via the Management API, it returns an empty list. If I explicitly sign out and sign back in, the new session appears again as expected.
My assumption was that session expiry controls how long a refresh token can remain unused. In other words, if session expiry is set to 24 hours, the user would need to use their refresh token at least once within that window to keep the session alive. If there's no activity for more than 24 hours, the session would be invalidated regardless of the refresh token's 15 day validity period.
However, based on what I'm observing, it appears the refresh token can still be used after a week of inactivity, which raises the question of what the session expiry setting actually controls.
I'd appreciate clarification on the following:
1. What does session expiry actually control in practice?
2. If I need to match refresh token expiry to session expiry for this to work as I described, what is the distinction between SSO session expiry settings and token configuration? They would essentially serve the same purpose at that point.
3. Why would the active sessions endpoint return empty when the user is clearly still authenticated?
Thank you for your help.
