Auth0 cookie expirey while on universal login page

albert.lockett · March 16, 2020, 8:07pm

Hi,

I was looking for some guidance on what happens when the cookies that get set by the /authorize endpoint expire while the user is on the unversal login page.

Here’s some background - I’m using the auth0 spa sdk navigate my users over to the unversal login page using the loginWithRedirect() method. Periodically, users will report that they get a response like this after they enter their credentials and click Login:

{“statusCode”:403,“description”:“Invalid state”,“name”:“AnomalyDetected”,“code”:“access_denied”}

that comes from the /usernamepassword/login endpoint

I can replicate the issue by going to my app, having it navigate me to the universal login screen, then delete some cookies my auth0 domain (cookie values auth0, auth0_compat and _csrf), then login using my username and password.

I’m wondering if it’s possible my user’s cookies expire while they’re sitting on the universal login page which is causing this issue for them. The reason I think this is, usually they will report it first thing in the morning. I think what’s happening is:

they logged out of application at end of day
let their computer sit on the login screen all night
the cookies expire
the morning when they try to log in they get this response.

Does this makes sense? If so, I am hoping to get some guidance on how those cookies are set, and what I could do to mitigate against this.

I can see that when I call loginWithRedirect() from the auth0 spa sdk, it sends the browser to /authorize which sends 302 response plus the set-cookie headers only if the cookies aren’t set already. I am wondering how auth0 determines the expirey time for those cookies, and if there is any logic in the /authorize endpoint that says “I see the cookies are set, but they will expire soon, so I will set a newer values”

I am also wondering what I could do to mitigate against this situation? If my users are going to sit on the universal login page for quite a while, could I put some custom javascript on my universal login page that would check the cookie expiration, and handle getting some new ones if they’re going to expire (maybe by redirecting back to my app, then back to auth0)?

dan.woda · March 17, 2020, 9:22pm

Hi @albert.lockett,

Welcome to the Community!

You could be getting this error for a few reasons, one of which could be a user disabling cookies for the login page, but that is less likely. It is more likely that they have bookmarked the login page. Check out this page for info on that:

Another possible cause could be misusing the back button.

Do you think that could be the case?

Thanks,
Dan

albert.lockett · March 17, 2020, 10:11pm

Hey Dan,

I checked with our users who are having this issue and they are not bookmarking the login page, which makes sense because otherwise they wouldn’t be getting this issue intermittently. They also told me they said they aren’t bookmarking the login page.

Please, do you know if it makes sense that the cookies could expire while they are on the universal login page and if it could cause this issue?

albert.lockett · March 18, 2020, 1:42pm

@dan.woda I figured out another way to reproduce this.

If the user logs out of the application in two different tabs, and on each tab they are then redirected to the universal login screen, it seems like the cookies that get set on the second tab will over-write the values on the first tab.

If you then try to login on the first tab, you’ll get the response from the original post (403, AnomolyDetected).

Do you have any guidance on finding a solution for that?

dan.woda · March 18, 2020, 7:36pm

If they are logging in and out every day the should not be getting expired cookies like this, unless I am mistaken.

Did you look into setting up a default login route that I linked above? I think that could solve this issue.

albert.lockett · March 31, 2020, 7:51pm

@dan.woda
If I understand you correctly, if I set up the default login route, after my users get the “403/Anomaly Detected” response they would get redirected to my configured default login route, which would navigate them back to the universal login page, and they could try to log in again?

albert.lockett · March 31, 2020, 8:05pm

I did set up the default login route but it did not resolve the issue. Is there any additional information I can provide to help make this easier from a support perspective?

dan.woda · March 31, 2020, 10:00pm

If you could provide me a HAR file of one of these transactions from your customers that could be very helpful.

albert.lockett · March 31, 2020, 10:36pm

Thanks Dan, sounds good. Can I send it to you directly, or is the expectation that I post it here on the public forum?

dan.woda · March 31, 2020, 10:37pm

Please DM it to me, thanks!

dan.woda · April 21, 2020, 9:16pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.