Expired Log In Transaction Behavior


I’m prepping my classic universal login page for the upcoming 1-hour expiration. Because we’re not on the new universal login, users will get redirected to our generic error page (not any default or client specific initiate_login_url) when the log in transaction has expired. The expiration right now is 3 days but more like 2-3 hours in my experience. I am adding some javascript to the login.html page to set a pre-login session expiration that once triggered will warn users and provide a link to restart the login flow. This seems like a better ux for users.

My question: Because we have multiple apps/clients (web/native) with their own initiate_login_url, would it be enough to just call window.location.reload() vs create branching logic to figure out the client_id and redirect to a url that will start the log in flow again? More specifically is Auth0 smart enough to handle this page reload and redirect the client caller with a new auth transaction state that preserves any other data that was passed to it? This seems like the right and easiest approach, if Auth0 can handle that.

I assume this works because I can start a login flow, let it sit for an extended amount of time, and when I reset it, the auth flow begins again and I get new values in my url query parameters, at least the state one.

Yes, calling window.location.reload() should be sufficient in your case to restart the login flow. When the page reloads, Auth0 will handle the authentication process again and generate a new authentication transaction state.

Auth0 is designed to handle these scenarios seamlessly. When the page is reloaded, Auth0 will recognize that the authentication transaction has expired and initiate a new login flow. The new login flow will generate new values for the URL query parameters, including the state parameter.

By using window.location.reload(), you ensure that the user is redirected back to the appropriate initiate_login_url for their specific app/client. This eliminates the need for branching logic to determine the client_id and redirect accordingly.

Overall, this approach should work well and provide a better user experience by warning users and giving them the option to restart the login flow when the session has expired.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.