30-Minute Session Expiration?

[djthread]

Hi! I’m using pow_assent to integrate with Auth0, and things are generally working nicely! My issue arises when I stay on the Auth0 login screen for greater than what I think is a 30-minute threshold.

My MyAppWeb.AuthController.new action sets session params into the session and redirects to the Auth0 login. If I don’t log in on Auth0 for a period of time, the session is dropped. In this case, filling the form and submitting sends me to MyAppWeb.AuthController.callback to complete the process, but I see an error saying the session_params cannot be loaded before I restart the login process.

Because my users might be sitting on that login screen for some time (I'm using it sort of as a lock screen) do I want to extend the session length to allow this to work as needed? It looks like OWASP recommendations say my session shouldn’t last more than 30 minutes? Any advice on this?

[djthread]

My solution for the time being was to add a bit of JS to the Auth0 login screen which redirects back to my app's /logout route after 29 minutes where the session can be recreated. Obviously this is not ideal, and I'm still really curious how others are solving or would solve this issue.