Expired Log In Transaction Behavior

eih · November 30, 2023, 7:00pm

Background:

I’m prepping my classic universal login page for the upcoming 1-hour expiration. Because we’re not on the new universal login, users will get redirected to our generic error page (not any default or client specific initiate_login_url) when the log in transaction has expired. The expiration right now is 3 days but more like 2-3 hours in my experience. I am adding some javascript to the login.html page to set a pre-login session expiration that once triggered will warn users and provide a link to restart the login flow. This seems like a better ux for users.

My question: Because we have multiple apps/clients (web/native) with their own initiate_login_url, would it be enough to just call window.location.reload() vs create branching logic to figure out the client_id and redirect to a url that will start the log in flow again? More specifically is Auth0 smart enough to handle this page reload and redirect the client caller with a new auth transaction state that preserves any other data that was passed to it? This seems like the right and easiest approach, if Auth0 can handle that.

I assume this works because I can start a login flow, let it sit for an extended amount of time, and when I reset it, the auth flow begins again and I get new values in my url query parameters, at least the state one.

pratyush.pandey · January 4, 2024, 7:03pm

Yes, calling window.location.reload() should be sufficient in your case to restart the login flow. When the page reloads, Auth0 will handle the authentication process again and generate a new authentication transaction state.

Auth0 is designed to handle these scenarios seamlessly. When the page is reloaded, Auth0 will recognize that the authentication transaction has expired and initiate a new login flow. The new login flow will generate new values for the URL query parameters, including the state parameter.

By using window.location.reload(), you ensure that the user is redirected back to the appropriate initiate_login_url for their specific app/client. This eliminates the need for branching logic to determine the client_id and redirect accordingly.

Overall, this approach should work well and provide a better user experience by warning users and giving them the option to restart the login flow when the session has expired.

system · January 18, 2024, 7:03pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Does the auth0 login pages expire? Help login-experience , new-universal-login-experience	2	348	February 29, 2024
About the 'Reducing Maximum Expiration Time for Login Transactions.' Email Knowledge Articles	1	1230	October 3, 2023
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported Help classic-universal-login-experience , login-experience	2	306	April 2, 2024
Force Password Expiration after 90 days with automatically redirect Help login-experience , reset-password-prompt-new-experience	6	3169	May 8, 2024
Default login route on native mobile apps Help login-experience , new-universal-login-experience	1	812	October 30, 2024

Expired Log In Transaction Behavior

Related Topics