Auth0 Home Blog Docs

Is it possible to avoid errors caused by user pressing back button immediately after login?



On my webpage, Lock shows up. The user clicks Facebook login and is not already logged into Facebook elsewhere in their browser. The user is then taken to the Facebook authentication page for login (i.e. not on my page). The user inputs their valid credentials and is redirected to my page. When they hit the back button, this invalid/expired authentication page appears:

![alt text][1]

My question is, is there any way to avoid this invalid/expired authentication page when the user hits the back button after successful social authentication?


Due to the way the authentication process works there are some intermediate steps which are not repeatable. The user going back on history leads to an attempt to repeat one of those intermediate steps and the current default behavior is to show an error page; as an informal note, I’ve seen internal discussions where other options besides an error page were being discussed for situations similar to the one you mention, however, at this time I can neither provide you confirmation if that will happen or any timeline information.

The non-repeatable step is pretty much unavoidable due to how the underlying authentication protocol (OAuth2/OIDC) works, however, there are some things you may consider:

  • if your application upon receiving the final redirect performs some automatic navigation of it’s own then it can put in the browser history at least one repeatable step; however, this would mostly be useful for the scenario where a user presses the back button by mistake as a sufficiently determined user could still go back many times and trigger a non-repeatable step that results on an error.
  • if your application triggers the authentication in such way that it’s all performed within a popup window then all the non-repeatable steps would be associated with the popup window that gets automatically closed upon authentication being completed. However, using popups may be a problem on it’s own.
  • in your account advanced settings you have a error pages section which would allow you to configure your own error page to where users should be redirected; this would not prevent the error, but it could possibly allow you to handle it a bit differently. However, this would be applicable for all types of errors which means it’s applying a global fix just for a specific issue so again it has it’s downsides.


Hey Mr. Angelo,

Thank you very much for clarifying and explaining the situation, and also thanks for providing some possible solutions. I understand what’s going on now.