UNSOLVED Avoid 'sso' and 'remember-device' cookies persistence after closing browser
Hi, i'm using FusionAuth 1.36.8 hosted on my own server with hosted login pages for Blazor application.
I have implemented sign-in and sign-out successfully including the inactivity timeout, but i still have one problem to solve: if the user closes the browser and reopens it, the session will still be there unless the JWT has already expired.
I have noticed that the fusionauth.sso and fusionauth.remember-device are set as persistent cookies with an expiration in 2090.
If i manually delete these 2 cookies and close the browser and open it again, the session is gone as i expected and the user is required to authenticate again.
Is there a way to configure the behavior of these cookies?
dan last edited by dan
You can configure the SSO lifetime in the tenant settings.
To remove the SSO cookie, you can use the logout endpoint:
That will destroy the SSO session. You may not want to destroy the known device cookie. As documented here: https://fusionauth.io/docs/v1/tech/reference/cookies those identify the device as being known to FusionAuth, and make the user experience smoother.
When you request the logout endpoint and pass a
client_id, FusionAuth calls the logout endpoint of the application corresponding to that client id. And, depending on the value of the
Logout behaviorsetting of that application, it may call additional logout endpoints.
Hope that helps.
@dan Thanks for your reply. I'm already using the logout endpoint to perform the user-initiated logout and also the automatic logout based on user inactivity.
My issue is that if the user closes the browser, the session is still valid and if you open the browser again you will be able to use the application which you had previously "closed" (but not logged out).
I'm looking for a way to convert these cookies into non-persistent cookies so the user will be forced to login again everytime -- i know this user experience implications, but this is part of my requirements.
dan last edited by
Ah. There's no way to convert cookies. I mean, I guess you could proxy all FusionAuth access through an NGINX instance or something like that, in which case you'd control the cookies, but there's no setting in FusionAuth to modify the cookies. Feel free to open a feature request referencing this forum post if you feel like it'd be a good feature.
For the present, you might be able to make a GET request against the logout endpoint in the window.close event listener.
Let me know if you experiment and find a way to do this; I'd be interested to learn what works.