User is still authenticated after uninstalling and re-installing the app

Problem statement

If a user deleted the app without logging out and reinstalled it when logging in to the app again, would the user’s session still exist?

If the app is reinstalled, is it possible to have the user re-authenticate using email and password?

Solution

The behavior you mention is the expected behavior. Given that web authentication is used, the user’s session cookie is managed by the browser. Calling the logout endpoint will redirect to the Auth0 logout page and clear the session cookie. Uninstalling the app without logging out won’t/can’t clear the browser’s session cookie. So, upon reinstalling the app and attempting to login, the browser’s session cookie will identify the user as authenticated, and they will not be directed to login with their credentials.

A way to verify this behavior is to:

  • Clear the browser’s cookies; notice that on app re-install/login the user will be required to authenticate.
  • Call the logout() method prior to calling login().

If either of those is done, you can observe the user will be asked to authenticate after reinstalling the application.

Info from: Android SDK - user keeps logged in after uninstalling and installing the app