After page reload and cookie clear, the user magically remains authenticated, but how?

I’m using Auth0Client via npm package @auth0/auth0-spa-js in a React application without any problem. But I can see that after a user has logged in, they remain logged in: clearing cookies and hard reload of the page doesn’t change that.
My assumption is that a hard reload destroys the frontend application hence all objects get destroyed including Auth0Clients. It means that in-memory states must be lost. As I said I also cleared the Cookies, Local Storage, etc.
But I checked the network activity in the browser and I found that when a Auth0Client is being instantiated via function createAuth0Client , a call to https://<MYTENANT> is issued and the response is successful: Status code 200 which leads to a subsequent code exchange.
My question is how this is ever possible?

You only (I assume given the outcome) cleared the cookies for your application domain; as part of the initial login through your tenant domain an authenticated session was established at that domain so the next time the application reloads the SDK performs a call to check if the user already has an authenticated session in the identity provider (Auth0 tenant) and if yes, proceeds to consider the user authenticated.

The above will work as long as the cookies that are associated with the authentication session in the tenant domain are not cleared nor expire.


Ah, so true! How did I not think of the cross domain cookie?!
Thanks very much.

Glad you have it now!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.