Auth0 Home Blog Docs

Closing the browser does not result in user being logged out

lock
security
lock-11

#1

I’m not sure if this is related to rememberLastLogin or not (if so, then setting it to false does not produce the desired results). I’m assuming that a remembered login state is managed through a cookie? If so, can that cookie be set to expire with the session? The problem is that there is no way to prevent the user from closing the browser without logging out (yes, I can catch that event and warn them, but they can override it). When that happens, the user remains in a logged in state, so that they (or someone else) can just go back to the SPA and find themselves still logged in. This is a pretty serious security hole. By the way, the same thing happens if I log into auth0.com and just close the browser without logging out.