Auth0 maintaining session in incognito window

My application which is build in angular 6 uses Auth0 for login. Once the login is successful i store the access token in sessionStorage. So the problems are

Problem : If User login in one tab either incognito or normal window then go to next tab open application auth0 not asking for username and password. Its just auto login for that user

I use auth.js library for Auth0 integration .

sessionStorage is only cleared when the page/window of the browser is closed:

data stored in sessionStorage gets cleared when the page session ends. A page session lasts for as long as the browser is open and survives over page reloads and restores

Do you see the same behaviour when logging in again into a NEW incognito window?

Hey there @megha.gupta!

Have you had a chance to see the last message?

Yes, I am seeing same behaviour in incognito window.
I know session will be available till browser tab is alive. But this thing should not happen in incognito.

Hello @megha.gupta! We recommend not storing artifacts like access tokens in browser storage at all, and rather, storing them in application memory and utilizing a token renewal method to get new tokens. Please check out the Angular quick start for more details on this (in particular, the renewTokens method in the Finish the service section.

Ok,Let me try that. Thanks.

I just have one doubt event though we are storing in browser,It should not work with incognito window.

I tryied with application memory still face same issue.
Let me re explain my problem scenario

1. Login in my application with username and password
2. go to next tab hit application url . This will take you login page, (Which is correct behaviour.)
   My Login button call auth0.authorize() method. which is provided by auth0-js. This should go to attached auth0 login screen. But its not.
   
   

   image658×594 26.1 KB

Hi,
Please help me this issue. its killing me.
Please let me know if you guys need more information.

Hi @megha.gupta, I’m sorry to hear about the troubles you’ve been experiencing. By looking at your recent description of the problem it sounds like there is an issue with possible redirection. Can you share a code snipit of your .authorize method? Also when you get a chance can you snag me a HAR file capture of the broken workflow you spoke about and direct message it over to me? These details should enable us to have a deeper look at what may be occurring. Thanks in advance!

Why this is closed? I am having the same issue. and the problem can be reproduced by auth0’s official react auth0 example 05
github.com:auth0-samples/auth0-react-samples.git

can someone from the team look into this? This is really unacceptable behavior create confusion.

When you log in using Auth0 Auth0 will create a session for the user in the form of a session cookie (this is regardless of how specific applications keep a session).

When another (or the same) application requests an authentication/authorization from Auth0, Auth0 will by default use the existing session (it “knows” the user already) and skip any user prompts if possible.

This is the way all identity systems work (you can see this with Google and Microsoft social, or Facebook, for instance), under the assumption that it’s the same user opening different tabs in the browser.

If you need different sessions, you can:

• use a different browser or an incognito window if you are just testing the application (which I’m guessing is the only reason to need different sessions for the same person). Remember that many incognito windows share the same cookie storage, so you don’t get a clean slate until you close all the existing incognito windows.
• force the display of the login screen even if the user already has a session with Auth0 by using the prompt=login parameter in the authorize request. If you are using Auth0.js, you can do it like this:

webAuth.authorize({ prompt: "login" });

The React sample uses localStorage to remember if the user is logged in and, if so, it tries to silently get a token (see auth0-react-samples/App.js at 606767543e56f167b156880dfcb1b04dd17a1a36 · auth0-samples/auth0-react-samples · GitHub). You will need to remove that functionality and modify the login method in https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/Auth/Auth.js to:

  login() {
    this.auth0.authorize({ prompt: "login" });
  }

This, of course, will result in the user having to log in every time the window is refreshed, which might not be what you are after.

This is the way all identity systems work (you can see this with Google and Microsoft social, or Facebook, for instance), under the assumption that it’s the same user opening different tabs in the browser.
Not true. google will not sign one in if its in incognito mode. if the user has never been signed in in the mode. and closing the incognito mode window should not retain the session. but auth0 does. why is that?

Auth0 doesn’t do that, I promise .

The user session reference is kept in a cookie (named auth0), and cookies are not shared between incognito and regular windows. The browser is the one preventing this, there’s no way around it for any vendor.
Remember, though, that all tabs/windows running in incognito mode share the same cookie jar, so if you log in on one incognito tab and move to another incognito tab, those two tabs will share the session.
Cookies from an incognito session are not clear until all incognito windows are closed.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.