Remember Browser

Can someone confirm that if an account is currently in the middle of the 30 day Remember Browser period, that if the browser updates (ie - Chrome goes from v77 to v78) that this invalidates the browser on Auth0’s end such that the next time the account logs in, they will have to use MFA?

Thx!
Jay

Hi @jblair,

This shouldn’t be a problem unless the browser clears the cookies during an update.

Has this happened to you?

Let me know.

Thanks,
Dan

Hi @dan.woda,

It’s our understanding that this isn’t a cookie based remember me. That it’s some kind of digital signature stored by Auth0 (hence the question).

Some of the reasons we believe this, is because clearing cookies locally has no affect. In fact, the only way we’ve found to clear remember me, is by making API calls to Auth0.

Thx,
Jay

@jblair,

Logout has 3 layers. Application, Auth0 Session, and IDP Session. The application layer is stored locally, typically a token. The auth0 session is set via a cookie intended for the auth0 login domain. And the IDP session is based on the provider and will depend on whether they are a social connection, an enterprise connection, etc.

This doc goes into detail:

I am not sure of the digital signature you are referring to. Do you have more detail or an example of a user remaining authenticated even after cookies are cleared and the local token is erased?

@dan.woda,

Thx for your response. I’m sorry, we’re talking about different things. It’s not a question of remaining authenticated.

I’m referring to the “allowRememberBrowser” property as part of MFA. So that the user doesn’t have to provide a 2nd factor every single time.

This appears to use some sort of digital signature that Auth0 maintains.

Recently, I had someone login who had logged in 2 weeks ago. At that time, they did a 2nd factor. Then two weeks later, same machine, same browser, they had to do it again. I looked at the data for each login, and while I don’t know the specifics of Auth0’s implementation for remembering the browser for MFA, the only data I saw that could be the reason to invalidate the remember browser, was the person’s version of Chrome went from v77 to v78.

Thx,
Jay