auth0-react
auth0-react copied to clipboard
Published
20 hours ago •
auth0
auth0
Session not cleared if user uses Back after logout
Checklist
- [ ] The issue can be reproduced in the auth0-react sample app (or N/A).
- [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- [X] I have looked into the API documentation and have not found a suitable solution or answer.
- [X] I have searched the issues and have not found a suitable solution or answer.
- [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- [X] I agree to the terms within the Auth0 Code of Conduct.
Description
After calling logout the user is redirect back to our login page, but if they go back with their browser they can get back into the application and perform authenticated actions. Calling refresh at any time throws them out of the application, and the auth0 logs show a successful logout.
To add more mystery to this, it does not happen consistently. For example, if the developer tools are open in the browser, the problem goes away and going back throws the user onto the login screen.
Reproduction
- login
- logout
- press back
- find yourself logged in again.
It seems to be mitigated by having the developer tools open, but is pretty much consistent in normal use. Also unable to replicate it on a localhost dev build.
Additional context
This is our auth provider
const onRedirectCallback = (appState?: AppState) => {
navigate(appState?.returnTo || window.location.pathname);
};
...
<Auth0Provider
domain={config.auth0.domain}
clientId={config.auth0.clientId}
authorizationParams={{
redirect_uri: window.location.origin,
audience: config.auth0.audience,
}}
onRedirectCallback={onRedirectCallback}
useRefreshTokens
cacheLocation={config.auth0.cacheLocation} // undefined expect for e2e tests
>
auth0-react version
v2.2.1
React version
17.0.2
Which browsers have you tested in?
Chrome
