Problem statement
Auth0 session cookies not using HttpOnly or secure flags.
The issue is how to handle the lack of HttpOnly on the following cookies:
- auth0.PaUrzRdxflTKVpq1fCiTGkWowJCgq0qi.is.authenticated
- _legacy_auth0.PaUrzRdxflTKVpq1fCiTGkWowJCgq0qi.is.authenticated
Solution
auth0.is.authenticated cookie
The auth0.is.authenticated cookie name is a little misleading. It is just an optimization cookie that minimizes unnecessary log-ins for a better user experience. It should not cause any issues if someone gets the cookie.
The auth0.is.authenticated cookie is used to remember authentication state with Auth0 across multiple page tabs and page refreshes. Session Storage on the other hand is bound to the session, this means every tab has it’s own Session as well as the session storage is cleared when the browser tab is closed. More information around this:
Using SessionStorage would not allow to achieve the behavior that we are achieving with the auth0.is.authenticated cookie.
As this is a cookie we are setting from inside JavaScript, we can not make it httpOnly.
The useCookiesForTransaction, when set to false, ensures transactions are using SessionStorage.
Transactions is what the SDK uses to track state during the redirect to Auth0 so we can rebuild certain state after the user is being redirected to their application.
This works fine as the redirect will happen in the same browser tab, using the same session. As soon as we are back from redirecting to Auth0, the entry will be removed from the session. So we are not relying on keeping the session’s value cross tabs or after page refreshes.
We are not using Local Storage because we want the entry to expire after a certain amount of time.
Because of the above about session storage and local storage, using a non-http only cookie is our only option.
_legacy_auth0.is.authenticated
This was added to support legacy browsers, see [SDK-1858] Create legacy samsite cookie by default by adamjmcgrath · Pull Request #568 · auth0/auth0-spa-js · GitHub.
You can disable this option by setting the legacySameSiteCookie, see https://auth0.github.io/auth0-spa-js/interfaces/auth0clientoptions.html#legacysamesitecookie
The above is documentation for our SPA-JS SDK, which our React SDK wraps. If they want to disable this in react, they could pass the same option to the Auth0Provider and set its value to false.
<Auth0Provider legacySameSiteCookie={false}>
</Auth0Provider>