Android SDK - user keeps logged in after uninstalling and installing the app

Hey

I’m using auth0 sdk on Android native app. I’m working with WebAuthProvider.login(auth0)

If I login then I uninstall the app then I install the app again and run it, the app doesn’t ask me for credentials (user and password), it performs the login process as if I had entered user/password and onSuccess method is called.

I need the app to ask me for credentials if it’s a fresh installation

Any ideas about how to achieve this?

1 Like

Hey there Dane!

Not sure as of now how to achieve it but let me research that and get back to you as soon as I find something!

Hey there Dane!

Terribly sorry for such delay in response but I was killed by the influx of incoming questions. Would like to follow-up to ask you what’s the SDK version you’re using? Once more sorry for the delay!

Hey man!

No worries :smiley:

The version is 1.30.0
I’m adding it as a dependency : `implementation ‘com.auth0.android:auth0:1.30.0’

I suppose I’m doing something wrong with the setup, but I can’t figure out.

My best guess is that whatever webview or browser component used on WebAuthProvider.login(auth0) call leaves cookies or some information there and after reinstalling the app, that component takes the cookies info and use it to restore a session. But I don’t really know, probably I’m talking garbage!

I’m testing it with android API Level 29, 30, also tested in emulators with api levels like 24, 25, 26

And lastly, maybe it’s a miss understanding from my side? I mean I understand that what a user wants is to re-login if the app was re-installed, that’s what I see on other apps and well trying to achieve that :slight_smile: , but maybe you developed it in a way that user doesn’t need it do it

1 Like

Gotchya thanks for providing that context! Have you tried this part of the SDK:

?

Yeah! I use WebAuthProvider.logout(account)start(this, logoutCallback) to log out the user WHEN they press over the logout button, but when they just uninstall the app, well I don’t know what callback to use to identify the user is uninstalling the app and call WebAuthProvider.logout(account)start(this, logoutCallback)

1 Like

Gotchya! Let me discuss it internally with the people responsible for the SDK.

Hey there again!

I found out that you’re also already working on that with Amin Abbaspour. Not sure where you stopped but basically what I can see from our internal engineering ticket:

This is expected behavior. To reproduce using the Auth0 Android sample app:

  1. Launch app and login with the WebAuthProvider (don’t logout)
  2. Quit and uninstall Login sample app in the emulator
  3. Re-install/run the sample app
  4. Click login - no redirect to login with credentials, instead shows session still valid

Because web authentication is being used, the user’s session cookie is managed by the browser. Calling WebAuthProvider.logout() will redirect to the Auth0 logout page, and clear the session cookie. Uninstalling the app without logging out won’t/can’t clear the browser’s session cookie. So upon reinstalling the app and attempting to login, the browser’s session cookie will identify the user as authenticated, and they will not be directed to login with their credentials.

A way to verify this behavior is to do one of two things between steps 2) and 3) above:

  • Clear the browser’s cookies; notice that then on app re-install/login the user will be required to authenticate
  • Call the WebAuthProvider.logout() method prior to calling login()

If either are those are done, you can observe the user will be asked to authenticate after reinstalling the application.

1 Like

hey! thanks for taking the time to review this case.

I just saw it and I thin what I’m missing is to logout prior to login call. You gave me a light to solve this , thank you so much!

1 Like

Glad I was able to help somehow!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.