SOC2-11: Explicit Session Expiry
SOC2-11: Explicit Session Expiry
Version introduced: v0.1.151
SOC 2 Control: SOC2-11 — Session Management › Expiry
Overview
Sanctions screening platforms handle sensitive personal and entity data on behalf of UK compliance teams. Limiting the lifetime of authenticated sessions is a key control for reducing the risk of unauthorised access from unattended or stolen sessions.
Prior to v0.1.151, the NextAuth configuration in src/lib/auth.ts used strategy: 'jwt' without setting an explicit maxAge. This meant session lifetime was governed entirely by NextAuth's built-in default of 30 days — far longer than is appropriate for a compliance environment.
What Changed
An explicit maxAge of 8 hours is now set on both the session and jwt configuration objects in src/lib/auth.ts:
// src/lib/auth.ts
export const authOptions: NextAuthOptions = {
session: {
strategy: 'jwt',
maxAge: 8 * 60 * 60, // 8 hours
},
jwt: {
maxAge: 8 * 60 * 60, // 8 hours
},
// ...
};
Setting maxAge on both objects ensures that:
- The NextAuth session cookie expires after 8 hours.
- The signed JWT token itself also expires after 8 hours, so a token cannot be replayed beyond its intended lifetime even if the cookie is somehow retained.
Why 8 Hours?
8 hours aligns with a standard working day and is a common baseline for compliance and financial applications. It balances usability (a user does not need to re-authenticate mid-shift) with security (an idle or abandoned session does not remain valid overnight or across weekends).
Impact on Users
- Users who are inactive for more than 8 hours will be signed out automatically and prompted to re-authenticate.
- Active sessions are unaffected during the 8-hour window.
- There is no change to the sign-in flow or any other authentication behaviour.
Related SOC 2 Controls
| Control | Description |
|---|---|
| SOC2-11 | Session Management — Expiry |
Further Reading
- NextAuth.js Session Configuration
- NextAuth.js JWT Configuration
- OFSI Compliance Programme internal security policy