Is it possible to customise the maxAge of a session on a user per user basis?

[jonlow]

We are exploring a scenario where different types of users get different session lengths. For example:

• Normal users (30 days)
• High risk data users (30 minutes)

So ideally it would be nice to be able to query the type of user and determine how long their inactive session will last for.

Is this at all possible?

[balazsorban44]

How do you determine if a user is of high-risk data or not? I don't think we would support something like this built-in unless there is interest from more people, but you could do something like this:

export default function async auth(req, res) {
  const maxAge = await determineUserMaxAge(req, res)
  NextAuth(req, res, {
    ... // rest of your config
    session: { maxAge }
  })
}

If the type is defined by a role or similar saved on the session itself, you could use getToken(req) method within determineUserMaxAge.