Auth0 Home Blog Docs

Closing the browser does not result in user being logged out



I’m not sure if this is related to rememberLastLogin or not (if so, then setting it to false does not produce the desired results). I’m assuming that a remembered login state is managed through a cookie? If so, can that cookie be set to expire with the session? The problem is that there is no way to prevent the user from closing the browser without logging out (yes, I can catch that event and warn them, but they can override it). When that happens, the user remains in a logged in state, so that they (or someone else) can just go back to the SPA and find themselves still logged in. This is a pretty serious security hole. By the way, the same thing happens if I log into and just close the browser without logging out.