I read about sessions, but still not get it clear enough.
Auth0 Session Layer : Auth0 also maintains a session for the user and stores their information inside a cookie. The next time a user is redirected to the Auth0 Lock screen, the user’s information will be remembered. Log users out of Auth0 by clearing the Single Sign-on (SSO) cookie.
With a web app with no API call, just user authentication implemented, what could go wrong if we just clear application layer session?
Can somebody tell me?
Hey there @anhnguyenvan.cf , I foresee this impacting the user’s authenticated experience. Without knowing the full field of use case or user’s experience within your application, I am unable to speak fully to the topic. I apologize as I know this doesn’t completely answer your question in a solidified way but please let me know if you have any additional information or questions. Thank you!
Hi @James.Morrison
Sorry for ambiguous question.
Let me describe more detail.
We want to build a system that allows user to login to an web app(which include MFA and deeper user verification, plays as IdP), then be able to use all of linked 3rd sites(play as SPs).
These 3rd sites are not in our control, so it’s impossible to implement SLO that initiated by Service Provider(as my understanding). It means, when logging out of 3rd sites, only the application layer session will be cleared and Auth0 session will remain depend on timeout set in Tenant settings section via Auth0 dashboard.
Will this be OK if we don’t clear Auth0 session at the time of logging out SPs?
Our customer want us to use Auth0 as authorization method, so I really really need to comprehend how Auth0 works.