Overview
This article explains some of the cookies auth0-spa-js library sets on the browsers.
List of cookies:
auth0.{CLIENT_ID}.is.authenticated
auth0.{CLIENT_ID}.organization_hint
_legacy_auth0.{CLIENT_ID}.is.authenticated
_legacy_auth0.{CLIENT_ID}.organization_hint
browser-tabs-lock-key-auth0.lock.getTokenSilently
Applies To
- Cookies
- auth0-spa-js
Solution
auth0.{clientId}.is.authenticated: This cookie keeps track of user sessions in the checkSession API to prevent unnecessary calls to Auth0 while there is a valid session for the user.
auth0.{clientId}. organization_hint: This cookie is used to keep track of the organization ID. If the cookie was stored and the application did not pass the organization ID in the next login attempt, the SDK retrieves the organization ID from the stored cookie while generating the /authorize call for silent authentication calls during fallback, where using the rotational refresh tokens wasn’t possible.
const orgHint = this.cookieStorage.get<string>(this.orgHintCookieName);
if (orgHint && !params.organization) {
params.organization = orgHint;
}
Both of these cookies have client IDs in their name. Therefore, different applications authenticated on the same browser with different client IDs will have separate cookies.
legacy keyword is appended for the additional cookies for supporting legacy browsers:
See Handle incompatible clients for more details.
browser-tabs-lock-key-auth0.lock.getTokenSilently: This cookie is set due to a dependency used in the auth0-spa-js library in the getTokenSilently() API. The lock is acquired in the getTokenSilently() API. This call uses the browser-tabs-lock library, where the lock is acquired.
The following issue has some more details which may be helpful.
QuotaExceededError thrown from getTokenSilently() #455
Other supported front-end SDKs, such as Auth0 React SDK, use the auth0-spa-js library. These SDKs will also create the same cookies.