Setting updateAge greater than maxAge: a valid approach?

[lukemorton]

Hi folks,

As far as I can tell, Auth.js/NextAuth rolls sessions forever. As long as the user interacts with the session within maxAge, the session will be extended every updateAge indefinitely.

By default, as long as a user interacts with the session within 30 days (default maxAge) the session is extended every 24 hours (default updateAge).

• Scenario 1: If the user tried to access the service 2 days after their last activity, the session expiry would be reset to 30 days after the current time, extending the session.
• Scenario 2: If the user tried to access the session after those 30 days, the session would have expired and the user will have to login.

But what if you want to force the user to login every say 14 days?

My initial thought is to set the updateAge to be greater than the maxAge. This would mean the session is never extended as the updateAge would not be reached before the maxAge. The impact would be 1) the session expiry never extends and 2) when the expiry date is reached the session would no longer be valid, logging the user out.

Imagine we set maxAge to 14 days and updateAge to 15 days:

• Scenario 1: If the user tried to access the service 2 days after their last activity, the session expiry would not change as the updateAge had not been reached
• Scenario 2: If the user tried to access the session after those 30 days, the session would have expired and the user will have to login.

Do I have that right? Could there be any negative consequences to this approach?

Best,
Luke

[lukemorton]

cc @balazsorban44