Auth0 Home Blog Docs

Why does checkSession need cookies?

refresh-tokens
checksession

#1

Why does auth0.checkSession() function need cookies to be enabled? Is there a way we can pass all the required parameters without cookies? This is a show stopper for some browsers, as third-party-cookies are disabled by default.


#2

When a user authenticates, a cookie is stored with the session details. This enables [checkSession] (https://auth0.com/docs/libraries/auth0js/v9#using-checksession-to-acquire-new-tokens) to acquire a new token from Auth0 for a user who is already authenticated against Auth0 for your domain.

For the [silent authentication] (https://auth0.com/docs/sso/current/single-page-apps#silent-authentication-using-auth0-js) to be possible, you must [Have a SSO cookie for the tenant’s domain (in other words, the user has previously signed in and their saved cookie is still valid);] (https://auth0.com/docs/sso/current/single-page-apps#configure-silent-authentication). There have been internal discussions around this topic, but at the moment cookies need to be enabled for checkSession to work.

You see a video about how Auth0 handles sessions and cookies here: https://auth0.com/docs/videos/session-and-cookies