The user will use credentials to login into the application and Auth0 will assign a token to the user to interact with my application. As it is known, token will expire after some days.
Here application will take to login page once the user clicks on the logout button from the application. But the Auth0 tokens are still valid at server side, here the point is if an attacker or shared computer user can log in into the application without entering the credentials.
Now, how can I prevent this? So that application should ask for credentials when a user logouts from the application, also the previous tokens should be declined if it is reused.
Yes, I am calling /v2/logout/ from the app and redirecting the user to the login page.
Here, once the user logs out from the app, the Authorization bearer(token) is not expired at the server side. Below are the steps I have done correctly.
I have captured the user request were using the proxy and saved them.
Then user logs out from the application by clicking logout button from the application.
Now I sent the saved request(post authentication) to the server (point 1) and received the valid data in the response from the server. But here the user can request the sensitive data using tokens even though logged out from the application.
Here my concern is about security.
Once the user logs out from the application. Why the tokens are not expired. If I implemented the authentication part insecurely, then let me know the secure way, so that once the user logs out from the application all the cookies, tokens should expire at client side and server side as well.
I am concerned about the security of my application from attack vectors like the MITM (even though using TLS) or the same computer shared between 2-3 users.
Guide me how to implement the secure way of authentication, so that the token should expire after the user clicks logout button from my app.