Session options
Clerk provides session management options for fine-tuning user visits to your application, including options for session lifetime, multi-session handling, and session token customization.
Session lifetime
Depending on the business domain of an application, there might be different requirements for how long users should remain signed in. Criteria to base this decision upon typically revolve around user activity on the application and how long it has been since the user first signed in.
Ultimately, picking the ideal session lifetime is a trade-off between security and user experience. Longer sessions are generally better for UX but worse for security; and vice-versa.
Fortunately, with Clerk, you have the ability to fully control the lifetime of your users' sessions. There are two settings for doing so and you can set them via your instance settings in the Clerk Dashboard: Inactivity timeout and Maximum lifetime.
Inactivity timeout
Inactivity timeout is the duration after which a session will expire and the user will have to sign in again, if they haven't been active on your site.
A user is considered inactive when the application is closed, or when the app stops refreshing the token.
By default, the inactivity timeout is set to 7 days. You can set a custom inactivity timeout by following these steps:
- In the Clerk Dashboard, navigate to the Sessions page.
- Toggle on Inactivity timeout.
- Set your desired duration.
Maximum lifetime
The duration after which a session will expire and the user will have to sign in again, regardless of their activity on your site.
By default, this setting is enabled with a default value of 7 days for all newly created instances. To find this setting and change the value:
- In the Clerk Dashboard, navigate to the Sessions page.
- Toggle on Maximum lifetime.
- Set your desired duration.
Browser limitations on cookies
Regardless of how session lifetimes are configured, there are certain browser limitations & behaviors which may clear Clerk's session cookie. This will cause users to be signed out, even if your session lifetimes are set to a longer duration. As a result, it is impossible to achieve a setup where your users are never signed out.
User behaviors
In the event that a user manually clears their cookies, Clerk's session cookie will be lost. Similarly, if a user signs in via an incognito window and they then close all incognito windows, Clerk's session cookie will be lost. Both of these scenarios will cause the user to have to sign in again.
Google Chrome
Cookies set in Google Chrome have a Max-Age
upper limit of 400 days. Users who are using Google Chrome will be signed out within 400 days, even if session lifetime is set to a longer duration. There is no workaround for this.
This is per the HTTP Working Group Specification which is likely to get implemented by other browsers in the near future.
Multi-session applications
A multi-session application is an application that allows multiple accounts to be signed in from the same browser at the same time. The user can switch from one account to another seamlessly. Each account is independent from the rest and has access to different resources.
To enable multi-session in your application, you need to configure it in the Clerk Dashboard.
- In the Clerk Dashboard, navigate to the Sessions page.
- Toggle on Multi-session handling.
- Select Save.
There are two main ways to add the multi-session feature to your application:
- Use the
<UserButton />
component if you want to use a prebuilt UI. - Build a custom flow if you want to rebuild the existing Clerk flow using the Clerk API.
Customize session token
Session tokens are JWTs that contain a set of default claims required by Clerk. You can customize these tokens by providing additional claims of your own.
To learn how to customize session tokens, see the dedicated guide.
Feedback
Last updated on