Auth0 Home Blog Docs

Closing the browser does not result in user being logged out

lock
security
lock-11

#1

I’m not sure if this is related to rememberLastLogin or not (if so, then setting it to false does not produce the desired results). I’m assuming that a remembered login state is managed through a cookie? If so, can that cookie be set to expire with the session? The problem is that there is no way to prevent the user from closing the browser without logging out (yes, I can catch that event and warn them, but they can override it). When that happens, the user remains in a logged in state, so that they (or someone else) can just go back to the SPA and find themselves still logged in. This is a pretty serious security hole. By the way, the same thing happens if I log into auth0.com and just close the browser without logging out.


#3

Hey @eric3 !

As it has been more than a few months since this topic was opened and there has been no reply or further information provided from the community as to the existence of the issue we would like to check if you are still facing the described challenge?

We are more than happy to assist in any way! If the issue is still out there please let us know so we can create a new thread for better visibility, otherwise we’ll close this one in week’s time.

Thank you!


#4

This topic was automatically closed after 5 days. New replies are no longer allowed.