QA noticed a bug with the following behavior:
- User navigates to our web app.
- User is not auth’d, so app redirects to app’s auth0 login page.
- If user sits on the app’s auth0 login page for some amount of time (30+ mins?), and THEN attempts to login, the browser redirects briefly to the app (the app’s configured
initiate_login_uri), then back to the app’s auth0 login page.
- Once user logs in again, the browser redirects to the app successfully.
Based on this documentation: at auth0-universal-login/configure-default-login-routes#users-bookmark-login-page (it won’t let me include links in my post?)
I’m assuming the problem is essentially:
“The state parameter points to a record in an internal database where we track the status of the authorization transaction. Whenever the transaction completes, or after a set time passes, the record is deleted from the internal database.”
Is it likely that this is the root cause of the issue I described above?
If so:
Is there a way to configure the “set time [that] passes”? If not, is there a recommended approach to work-around this rather annoying UX?
If not:
What else might the issue be?
Hi @dreagan, and welcome to the Auth0 Community!
I’m sorry to hear about the unpleasant UX experience. As this knowledge article explains, it is not possible to extend the duration of the state parameter, as this is a security measure.
Perhaps an alternative for a better UX would be to display a friendly message to the user after a period of inactivity, with a button to refresh their session (sending them back to the login page with a new state).
I hope this helps, and don’t hesitate to ask more!
Sincerely,
Teodor.
Perhaps an alternative for a better UX would be to display a friendly message to the user after a period of inactivity, with a button to refresh their session (sending them back to the login page with a new state).
The issue I describe doesn’t have anything to do with inactivity in the app, though.
The issue is, once the user gets to the app’s auth0 login page, if they sit there for some time, and attempt to login, it doesn’t work & they must login again. This same issue could arise even with your suggestion above!
Yes, I was referring specifically to the login page when I talked about inactivity. I apologize for the misunderstanding.
While it does not solve the problem entirely, the alternative I mentioned let’s the user know that their session is about to expire.
Yes, I was referring specifically to the login page when I talked about inactivity. I apologize for the misunderstanding.
While it does not solve the problem entirely, the alternative I mentioned let’s the user know that their session is about to expire.
Ok, I’m a bit confused…the login page is the auth0 login page (as I mentioned in my original post). How would we modify the behavior of this page? How would we, for example, add inactivity behavior to the app’s auth0 login page?
To clarify, I’m confused, because I didn’t think the universal login experience can be customized with custom javascript, etc? Can it?
Oh, my bad. That is correct. The New Universal Login page cannot be customized with code. If you were to add the custom JavaScript, it would change to the Classic Login. That doesn’t leave you with an option to change the behaviour, sorry for misguiding you!