FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Avoid 'sso' and 'remember-device' cookies persistence after closing browser

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    4
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ctorres
      last edited by

      Hi, i'm using FusionAuth 1.36.8 hosted on my own server with hosted login pages for Blazor application.

      I have implemented sign-in and sign-out successfully including the inactivity timeout, but i still have one problem to solve: if the user closes the browser and reopens it, the session will still be there unless the JWT has already expired.

      I have noticed that the fusionauth.sso and fusionauth.remember-device are set as persistent cookies with an expiration in 2090.

      If i manually delete these 2 cookies and close the browser and open it again, the session is gone as i expected and the user is required to authenticate again.

      Is there a way to configure the behavior of these cookies?

      Thanks

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @ctorres
        last edited by dan

        @ctorres

        You can configure the SSO lifetime in the tenant settings.

        To remove the SSO cookie, you can use the logout endpoint:

        https://fusionauth.io/docs/v1/tech/oauth/endpoints#logout

        That will destroy the SSO session. You may not want to destroy the known device cookie. As documented here: https://fusionauth.io/docs/v1/tech/reference/cookies those identify the device as being known to FusionAuth, and make the user experience smoother.

        When you request the logout endpoint and pass a client_id, FusionAuth calls the logout endpoint of the application corresponding to that client id. And, depending on the value of the Logout behavior setting of that application, it may call additional logout endpoints.

        Hope that helps.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        C 1 Reply Last reply Reply Quote 0
        • C
          ctorres @dan
          last edited by

          @dan Thanks for your reply. I'm already using the logout endpoint to perform the user-initiated logout and also the automatic logout based on user inactivity.

          My issue is that if the user closes the browser, the session is still valid and if you open the browser again you will be able to use the application which you had previously "closed" (but not logged out).

          I'm looking for a way to convert these cookies into non-persistent cookies so the user will be forced to login again everytime -- i know this user experience implications, but this is part of my requirements.

          Thanks.

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @ctorres
            last edited by

            @ctorres

            Ah. There's no way to convert cookies. I mean, I guess you could proxy all FusionAuth access through an NGINX instance or something like that, in which case you'd control the cookies, but there's no setting in FusionAuth to modify the cookies. Feel free to open a feature request referencing this forum post if you feel like it'd be a good feature.

            For the present, you might be able to make a GET request against the logout endpoint in the window.close event listener.

            A bit of googling turned this up: https://stackoverflow.com/questions/6162188/javascript-browsers-window-close-send-an-ajax-request-or-run-a-script-on-win

            Let me know if you experiment and find a way to do this; I'd be interested to learn what works.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post