Hi everyone,
I’ve been using Auth0 for authentication on my restaurant-focused website, which mainly covers Texas Roadhouse menu updates, coupons, and location reviews. The setup works mostly fine — users can log in using Google or email/password — but recently, I started having issues with session persistence. After users successfully log in through Auth0, they’re redirected back to my site, but their authenticated session disappears within a few minutes or sometimes right after a page refresh. It’s inconsistent and confusing for both me and my users.
I’m using a React frontend with an Express.js backend, and I’m following Auth0’s official SPA + API integration flow. Tokens are being issued correctly — I can see the access token and ID token returned in the callback URL. However, when I store them in the browser (via cookies or localStorage), they either expire too early or fail to validate when checked against the backend. I’ve made sure the session cookie settings match the domain, but the issue persists across both production and staging environments.
I also noticed that the problem only happens on my live domain, not on localhost. Locally, everything works smoothly — I stay logged in, and the session remains valid for the configured time. On production (hosted on Netlify with a backend API running on Render), the Auth0 logs show a lot of “silent auth failed” and “invalid origin” errors. I double-checked the allowed callback URLs, logout URLs, and web origins in my Auth0 dashboard — they seem correct. Still, the issue looks like it’s caused by some mismatch between domains or cookie handling.
Another symptom is that sometimes, after login, users are redirected to a blank page or stuck in a redirect loop between Auth0 and my homepage. The browser console shows CORS errors or messages like:
Error: login_required at checkSession
I’ve tried enabling “Refresh Token Rotation” and adjusted the session lifetime under Advanced Settings, but it didn’t make much difference. It’s almost as if the session cookie isn’t sticking or the SPA isn’t picking up the token from the silent authentication properly.
To make things more confusing, my website uses a subdomain structure — the main site is on www.thetexasroadhousemenu.com, and the API runs on api.thetexasroadhousemenu.com. You can check my site also https://thetexasroadhousemenu.com/. I suspect cross-site cookie restrictions might be involved here, especially with the SameSite and Secure attributes. I’ve tried adjusting those manually, but I’m not sure what the ideal configuration is for Auth0 with this kind of setup.
Has anyone else run into session persistence or silent auth issues when using Auth0 with Netlify or multi-domain SPAs? Should I be handling tokens differently (like storing them in memory instead of cookies), or would setting up a custom domain in Auth0 help stabilize this? Any insights or examples from people who’ve solved similar problems would be super helpful. Sorry for long post!