> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes non-persistent sessions available with Auth0.

# Non-Persistent Sessions

In persistent sessions, users close a browser, but retain the session when re-opening the browser on the same device. To enhance the user experience and provide more secure access, non-persistent sessions invalidate a <Tooltip tip="Session Cookie: Entity that, when present, allows the user to be considered authenticated." cta="View Glossary" href="/docs/glossary?term=session+cookie">session cookie</Tooltip> when the browser is closed.

<Warning>
  Biometrics as a First Factor authentication type will not work with non-persistent sessions.
</Warning>

## Browser Limitations

In some cases, non-persistent sessions **cannot** be enforced by tenant settings. Examples include:

* The user has a session restore setting on the browser enabled; restoring the session also restores the session cookie.
* The user closes a tab but not the browser window; the session cookie is not cleared until the session ends based on Idle or Absolute Expiration.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  In these instances, non-persistent sessions do **not** provide extra security to the session.
</Callout>

## Sessions

Sessions consist of a cookie on the browser and a session record on the server. In non-persistent sessions, cookies are not persisted, and a tenant timeout is set, so users don’t have to manually log out of a device.

Session lifetime determines how long the system should keep the login session and is configured per tenant. TheAbsolute Expiration of a session is defined when the session is created. You can enable non-persistedsettings for user sessions, or allow the session to continue even if the browser is closed. You can adjust the Absolute Expiration and non-persisted settings in the Dashboard or the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>. To learn more, read [Configure Session Lifetime Settings](/docs/manage-users/sessions/configure-session-lifetime-settings).

## Cookies

The Auth0 platform uses three types of cookies: session, <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=Multi-Factor+Authentication">Multi-Factor Authentication</Tooltip>, and device. All of these change to non-persistent once your Auth0 tenant is configured. The tenant timeout triggers the session expiration.

When non-persistent sessions are enabled, the following cookies will be issued as session cookies when interacting with the <Tooltip tip="Authorization Server: Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user." cta="View Glossary" href="/docs/glossary?term=authorization+server">authorization server</Tooltip>:

* `auth0` / `auth0_compat`
* `auth0-mf` / `auth0-mf_compat`
* `did` / `did_compat`

To learn more about cookies, read [Authentication API Cookies](/docs/manage-users/cookies/authentication-api-cookies).

## Tenant configuration

You can configure your tenant to handle sessions in one of two ways:

* **Persistent**: session cookies persist when the browser is closed.
* **Non-Persistent**: session cookies do not persist. The browser retains session cookies until the browsing session is over. To learn more, read [HTTP State Management Mechanism on IETF Datatracker](https://datatracker.ietf.org/doc/rfc2109/).

To configure these settings in the Dashboard:

1. Go to [Dashboard > Tenant Settings](https://manage.auth0.com/#/tenant), and select the **Advanced** view.
2. Scroll to the **Session Expiration** section, locate **Idle Session Lifetime** and **Maximum Session Lifetime**, enter the desired settings, and select **Save.**

   <table class="table">
     <thead>
       <tr>
         <th><strong>Settings</strong></th>
         <th><strong>Description</strong></th>
       </tr>
     </thead>

     <tbody>
       <tr>
         <td>Idle Session Lifetime</td>
         <td>Timeframe (in minutes) after which a user's session will expire if they haven’t interacted with the Authorization Server. Will be superseded by system limits if over 4,320 minutes (3 days) for Essential or Professional or 144,000 minutes (100 days) for enterprise plans.</td>
       </tr>

       <tr>
         <td>Maximum Session Lifetime</td>
         <td>Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. Will be superseded by system limits if over 43,200 minutes (30 days) for Developer or Developer Pro or 525,600 minutes (365 days) for enterprise plans.</td>
       </tr>
     </tbody>
   </table>

## Management API

You can use the Management API to enable non-persistent sessions as well as set values for session lifetime, idle session lifetime, and properties for sessions cookies. To learn more, review the [Management API Tenant Update endpoint](https://auth0.com/docs/api/management/v2/tenants/patch-settings).
