Here is my scenario: I am working on a mobile application that relies on webviews for some functionality. I would like to be able “transfer” the auth0 session from the mobile app context to the webview. The web app that is loaded in the webview is configured with ‘localStorage’ as the cache location. My initial instict is to attempt to inject a localStorage entry into the webview before loading the web app.
I am wondering if this is a terrible idea and/or if there are best practices for dealing with a situation like this.
I’m curious to know where you’ve landed on this - Unfortunately, as you’ve noticed, there really isn’t a good solution with regards to sharing a session between native apps and a webview/web app.
I will say that after a bit of internal research, the consensus seems to be that the “safest solution” might be to simply maintain entirely separate sessions. 1 at the Native app, and 1 at the web app where the web app has a an extended session to begin with (3 days for example). Once the user’s session expires at the web app they will need to re-authenticate, so this doesn’t make for an entirely seamless solution, but it at least cuts down on the number of times a user has to enter credentials. This basically boils down to no collaboration between the webview and mobile app.
This is a longstanding issue for which there is no real solution - Unfortunately the risk associated with attempting to share sessions in this context really limits what’s possible.