Feature Request: Ability to Invalidate Auth0 Session Cookies During Signup / Aborted Authentication Flows

Product Feedback
, ,
1

Feature: Ability to Invalidate Auth0 Session Cookies During Signup / Aborted Authentication Flows

Description: During Universal Login flows, an Auth0 session cookie (auth0=...) may exist before user creation or before authentication is finalized.

In our application, we intentionally limit the acceptable lifetime of an unauthenticated or pre-finalization session in order to reduce the risk of session cookie theft or reuse.

We currently have no supported way to explicitly invalidate an Auth0 session when a signup or authentication flow is denied based on elapsed time or security checks.

Platform limitations:

  • api.session.revoke() is only available in post-login

  • Post-login does not run when signup or authentication is denied

  • pre-user-registration can deny the flow but cannot revoke the session

  • Redirecting to /oidc/logout is not reliably supported during signup/authentication flows

As a result, Auth0 sessions may remain valid beyond the security window we define, even when we intentionally abort the flow.

Use-case: To reduce the risk of session hijacking, we enforce a maximum allowed duration for unauthenticated signup or authentication flows.

Example:

  1. A user begins signup and an Auth0 session cookie is created

  2. The session remains inactive or incomplete

  3. More than 30 minutes elapse

  4. On the next interaction, the application detects that the allowed time window has expired

  5. The signup/authentication attempt is denied

Expected behavior:
Once the time window has expired and the flow is denied, the Auth0 session associated with that flow should be invalidated to prevent reuse.

Current behavior:
The flow can be denied, but the Auth0 session cookie remains valid, allowing the same session to be reused beyond the intended security window.

This limits our ability to fully enforce time-based protections against session cookie theft or fixation during signup and authentication.

Broader Impact

This limitation is not unique to our application. Any Auth0 customer that:

  • Enforces time-bound signup or login flows

  • Implements step-up verification, multi-step registration, or progressive profiling

  • Detects suspicious behavior mid-flow

  • Wants to reduce exposure to session hijacking or fixation

faces the same challenge.

Without a supported way to invalidate sessions when flows are denied or expire, applications cannot fully enforce time-based or risk-based protections, even when Auth0 Actions correctly detect and block suspicious behavior.

Providing a way to explicitly invalidate Auth0 sessions in these scenarios would improve baseline security for a wide range of Auth0 users and align with common industry best practices.