Auth0 Home Blog Docs

Where does checkSession get the user from when cache is clear?

I’m trying this scenario:
I define webauth with

webAuth = new auth0.WebAuth({
    clientID: clientId,
    domain: domain,
    responseType: 'token id_token',
    scope: 'openid profile',
    redirectUri: 'http://localhost:8080/callback'
  });

then

this.webAuth.checkSession({}, (err, auth) => {
      console.log('auth', auth);
    });

although I haven’t authenticated any user yet (i did in a previous session) but I’m still getting a user and an access token, even though I’ve cleared all the cache, including cookies and everything
My question is where does checkSession gets its user info from?

The checkSession() function checks for a user’s session in Auth0 based to the auth0 cookie set in the browser. Usually when there’s a valid cookie and user’s session still exists in Auth0(duration of the session controlled by the global tenant SSO settings), the tokens will be renewed and returned.

You most likely did not clear the auth0 cookie on the browser set for the Auth0 domain that your Application authenticated against. To ensure the cookie is deleted, you can open chrome://settings/siteData in a Chromium browser, find your Auth0 domain and delete the auth0 cookie there. Now the checkSession() call would not return any tokens.

A better way to ensure user’s session is cleared in the Identity Provider (Auth0) is to redirect user to https://YOUR_DOMAIN/v2/logout, more on Logout here: https://auth0.com/docs/logout/guides/logout-auth0

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.