We have a SPA that talks to a backend of our own. In the SPA we keep both the id and access tokens in memory, as per the security guidelines (i.e. not storing them in localstorage or similar). Now, a user may have more than one opened browser tab, looking at different resources of our app. Let’s say now that the token expires and the user is logged out of all the tabs at once. When the user logs back in one tab, we would like for the other tabs to be logged in too. What is the recommended approach to handle this case, assuming we are not storing tokens on localstorage / cookies / etc?
I think this would be covered under SSO.
In your SPA the
isAuthenticated method (if you are using auth0-spa-js) can be used to check if a session exists for that user.
Have you tried this and run into an issue?
Thanks for the response and the link @dan.woda ! Just to give a bit more info, we are using auth0-js (not auth0-spa-js) with embedded login.
Having said that, by looking a bit more in depth at SSO it seems that this should work:
- Have a
isLoggedInflag in a local storage.
- Make each tab register to changes on it.
- Upon a change, if
true, then trigger a call to
checkSession. Once the first tab logs in the rest should succeed as it would for usual silent authentication.
- Similarly, if
However in this case each tab would end up with a unique access token, as each one would send a separate
checkSession call, is that correct?
This still seems to be the best method as you are not storing a token in a location that is vulnerable to a XSS attack (ie localStorage). Do you have a concern about having multiple tokens issued?
Sorry for the delay @dan.woda, I totally missed your reply. No, no problem at all on having multiple tokens, just wanted to double check that was the expected outcome.
No problem! Thanks for responding.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.