Hi @noelt.dolan
Could you also let me know if you are using Refresh Tokens and different subdomains for all of your applications?
It appears that even if the Auth0 session is being cleared, the application session is being persisted since it does not check frequently enough for their session. As per our documentation, this can be handled in two ways:
-
Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling
checkSessionfrom the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues. -
Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.
Otherwise, one way you may implement this is possibly having your own session management API, a user logout on one app sets a flag there (posting the user_id, email, connection, client_id etc). You have key pages in your applications that poll your session management API and if a record exists for the user and connection, this indicates a logout has occurred (check if the logout is recent using a configurable threshold maybe) then within that application redirect the user to our logout endpoint and perform any application level session clear up if relevant.
If I can help you out with anything else regarding the matter, let me know!
Kind Regards,
Nik