Synchronizing session across browser tabs

We have a SPA that talks to a backend of our own. In the SPA we keep both the id and access tokens in memory, as per the security guidelines (i.e. not storing them in localstorage or similar). Now, a user may have more than one opened browser tab, looking at different resources of our app. Let’s say now that the token expires and the user is logged out of all the tabs at once. When the user logs back in one tab, we would like for the other tabs to be logged in too. What is the recommended approach to handle this case, assuming we are not storing tokens on localstorage / cookies / etc?

Hi @andres,

I think this would be covered under SSO.

In your SPA the isAuthenticated method (if you are using auth0-spa-js) can be used to check if a session exists for that user.

Have you tried this and run into an issue?

Thanks for the response and the link @dan.woda ! Just to give a bit more info, we are using auth0-js (not auth0-spa-js) with embedded login.

Having said that, by looking a bit more in depth at SSO it seems that this should work:

  • Have a isLoggedIn flag in a local storage.
  • Make each tab register to changes on it.
  • Upon a change, if isLoggedIn is true, then trigger a call to checkSession. Once the first tab logs in the rest should succeed as it would for usual silent authentication.
  • Similarly, if isLoggedIn is false then logout.

However in this case each tab would end up with a unique access token, as each one would send a separate checkSession call, is that correct?

This still seems to be the best method as you are not storing a token in a location that is vulnerable to a XSS attack (ie localStorage). Do you have a concern about having multiple tokens issued?

Thanks,
Dan

Sorry for the delay @dan.woda, I totally missed your reply. No, no problem at all on having multiple tokens, just wanted to double check that was the expected outcome.

Thanks again!

@andres,

No problem! Thanks for responding.

Cheers,
Dan

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.