How to do checkSession without making session rolling?

[benevbright]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I think it's pretty common feature but I can't find simple solution, which is kicking out user automatically after rollingDuration has passed.

the same question in auth0 community: https://community.auth0.com/t/checksession-counts-as-session-activity/27521

basically, when I use checkSession in a poller (e.g every 10 minutes), it makes session rolling and can't achieve the auto logout. (classic thing that your heartbeat keeps you awake)

Describe the ideal solution

there should be an way to check session without making session rolling.

Alternatives and current workarounds

• Only way I can think of is checking user's updated_at and calculate the session's time which is not ideal.
• or call logout directly after some user inactive time passed, which would make logic fragile.

Additional context

No response

[benevbright]

#1116 this PR has implemented similar thing I need.

[benevbright]

ok. what I wanted to do can be done by disabling autoSave. explained here: #1116 (comment)

@adamjmcgrath @aovens-quantifi Is it possible to do other way around as well with current implementation?

Basically I like to enable autoSave: true and have an way to call checkSession without extending session.

[benevbright]

ok, after investigating a bit, the best option seems to be

• configure autoSave: false, rollingDuration: XXX (both are available in ENV var)
• call const { checkSession } = useUser(); checkSession() in poller -> it won't extend session and kick user out to logout after inactivity
• put await touchSession(req, res); in our API router or in the router middleware. -> it makes session rolling so user can continue using app

let me know if there is even better way

[aovens-quantifi]

We deliberately chose to do it this way in order to have the smallest blast radius. This way your "don't touch the session" logic can be whatever you want it to be and the rest of the time you just call touchSession

[benevbright]

EDIT: I previously mentioned autoSave: true. it's a simply mistake. I meant `autoSave: false.

@aovens-quantifi thanks for the comment 👍

[cjsauer]

Quick question related to this issue: I can't seem to find touchSession as part of the public API anymore using version 3.1.0. Has it been deprecated in favor of something else?

[benevbright]

@cjsauer I'm also using 3.1.0. you can find it from initAuth0() in api router.

[cjsauer]

Ah okay. Is there a reason that it isn't available for managed instances? Seems like it used to be from what I can tell combing through commit history.

[benevbright]

@cjsauer ok. I took a look a bit. It seems it was never implemented as an exported function, which seems a simple mistake from the beginning. I think you can open PR to add it.

export const touchSession: TouchSession = (...args) => getInstance().touchSession(...args);

Seems like it used to be from what I can tell combing through commit history.

I saw the commit that you might refer to but it was just moving around things that are in initAuth0()

[benevbright]

opened PR: #1461

[adamjmcgrath]

Merged #1461 - will ship it this week