I was looking for some guidance on what happens when the cookies that get set by the /authorize endpoint expire while the user is on the unversal login page.
Here’s some background - I’m using the auth0 spa sdk navigate my users over to the unversal login page using the loginWithRedirect() method. Periodically, users will report that they get a response like this after they enter their credentials and click Login:
that comes from the /usernamepassword/login endpoint
I can replicate the issue by going to my app, having it navigate me to the universal login screen, then delete some cookies my auth0 domain (cookie values auth0, auth0_compat and _csrf), then login using my username and password.
I’m wondering if it’s possible my user’s cookies expire while they’re sitting on the universal login page which is causing this issue for them. The reason I think this is, usually they will report it first thing in the morning. I think what’s happening is:
- they logged out of application at end of day
- let their computer sit on the login screen all night
- the cookies expire
- the morning when they try to log in they get this response.
Does this makes sense? If so, I am hoping to get some guidance on how those cookies are set, and what I could do to mitigate against this.
I can see that when I call loginWithRedirect() from the auth0 spa sdk, it sends the browser to /authorize which sends 302 response plus the set-cookie headers only if the cookies aren’t set already. I am wondering how auth0 determines the expirey time for those cookies, and if there is any logic in the /authorize endpoint that says “I see the cookies are set, but they will expire soon, so I will set a newer values”