Hi all! We are getting the following error on occasion. Several users have reported it, but it doesn’t happen every time. When the error does show up, it’s after the user has been redirected to the login screen of our system after a session timeout. Our session timeout is set to go after 15 minutes of inactivity.
Please see the message below:
invalid_request: You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn’t find your session. Try logging in again from the application and if the problem persists please contact the administrator.
It seems that the users are being shown this error due to the session timing out.
My suggestion would be to configure a default login route at the tenant level to ensure that the user to be redirected to that url, rather than be shown this error.
Hey Harsh, thanks for your reply! We are redirecting to our login page when there is a session timeout.
In order to reproduce the error what we have done is leave an open session, the session times out, and the user is redirected to the login page, if the user doesn’t sign in again within a long period (2 hours or more), sometimes (not always) the login won’t work displaying this error.
I have also left the session open overnight, I always find the login page when I come back (which is expected) but sometimes when I log in I get the error screen, other times I don’t.
If the user signs in shortly after they have been kicked out, there is no issue.
Hey Maria,
I think @Harsh2 was on the right track. You would have to go to your application setting inside your tenant and set the default login path (i dont think localhost qualifies as a valid login path). This will be the default login url for your application. In cases of timeout auth0 will try to redirect the client to that url instead of presenting you the invalid request error. I hope this helps.
I want to emphasize that the user is always redirected to the corresponding login page after the session time-out. The error shows when the user tries to sign in after leaving the login page open. The error shows up when they place their credentials and click on the login button. Is there something that expires on the login page?
Im not 100% sure but it might be the state value used by Auth0 as part of preventing CSRF attack expiring after a certain time. I don’t know if there is a workaround for the issue.
Sorry to revive this thread but it was the only one I found with the exact same issue I’m currently facing.
The suggestion about using this was interesting but I configured the URLs and didn’t get any change in Auth0 behavior, the error still occurs after exactly 1 hour of leaving the login page idle.
It works if you use a bookmark or tamper with the request once in auth0 as you get redirected to that URL but it doesn’t use it when the authentication fails due to state parameter not being valid anymore (after 1 hour)
Also, for what is worth that Tenant setting is one place where you can configure that URL but there’s a similar field that’s per-application so probably the tenant-wide setting wont fit your use case but a per application basis may… or at least would if the setting works as it seems should.
I also configured the Default Login Route (Configure Default Login Routes) on the client through the management API which is a value that is not reflected anywhere in the administrative console but I’m not sure how this works of if it’s overwritten by the ones in the admin console.
Any ideas how we can redirect users properly when the authentication process fails due to leaving the login page inactive for longer than 1 hour?