Hi, I m using universal login for my SPA application, if the user logs in once and forgets to logout the next time he opens a tab and hits on the application url he gets directly logged in without even clicking on login button. i m calling the authorize endpoint when application loads so it will take the user to universal login but if user forgets to log out, the next time he is directly logged in.Can anyone tell me why this is happening.
Hi,
If the user simply closes a tab but the browser process remains running (for example, if other tabs are still open) non-persistent cookies for that tab are usually not cleared. Non-persistent cookies are typically not cleared until the browser process is terminated. So if the browser process remains running and the user opens a new tab at the application URL, all the previously-set cookies are still there.
However, assuming that the user does close the browser without logging out, the default behaviour of Auth0 is to automatically log them back in. This is because the Auth0 session cookies are persistent. They don’t get cleared when the browser process is terminated.
You can set the maximum duration of the Auth0 signin session via tenant settings but it’s an imperfect solution. Set it too low and the signin session can expire while the user is using your application (causing further authorization requests - for example, obtaining access tokens - to require re-authentication). Set it too long and the user will remain signed in.
Auth0’s rationale for the service behaving this way is that most users want to stay signed in. However, there’s no option to disable this behaviour either at the tenant level or under the control of the user (for example, by offering a “keep me signed in” checkbox).
One workaround is to specify prompt=login with your authorization request. This will force the login prompt to be redisplayed. However, the original user’s session cookie is, in fact, still there. prompt=login just tells Auth0 to ignore it for this authorization request. If a malicious user with access to the machine re-issues the authorization request without that parameter, the original user will still be automatically logged in. It’s not ideal.
If you really can’t live with this behaviour and you have a reverse proxy between your users and Auth0 (for example, if you are using a custom domain for your tenant) you may be able to rewrite the Auth0 Set-Cookie headers to make the session cookie non-persistent. However, this is very definitely not supported by Auth0 and any changes at their end could easily break it.
1 Like
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.