1

I have implemented the Authorization Code Flow with Proof Key for Code Exchange (PKCE) with Identity Server 4, an Angular 8 client and ASP.NET web API. The way I did that is by following the quick start here. It's using silent refresh as well.

The happy flow works: the user can log on; and if he logs of explicitely, or closes the browser; the session ends and he needs to log in again.

There is however a case when this does not happen; more specifically if the 'remember where I left off' option in Chrome or Firefox is selected. In that case, the browser simply remembers the session and if the user starts the browser hours or days later, he is still logged on into the site. As the web site will be used on shared computers, this is a potential security issue if the user does not explicitely logs off.

I'm a bit puzzled on how to handle this case. I want the session to end when the browser is closed, always. Can someone point me in the right direction on how to achieve that with Identity Server 4?

L-Four
  • 13,345
  • 9
  • 65
  • 109

1 Answers1

1

There are a few things you could do to solve this issue:

  • Change the storage of the auth token to sessionStorage, this should be cleared after the browser is closed (I couldn't find any proof that the remember where I left off setting would affect sessionStorage)
  • Explicitly log the user out when the browser tab or the whole browser is closed: Javascript auto logout code
  • Instead of using silent token renewal, do it by hand (this involves some extra code, implementing an Angular interceptor to ask for a new token when the existing one expires and resetting it). I think this is a workaround and would require significant extra effort, especially because you already use a pretty good client to handle everything around authentication and authorization for you.
Peter Sandor
  • 143
  • 1
  • 7
  • Thanks, The sessionStorage may be most simple then, I will investigate how this can be done because it's all unknown to me :) But I read at https://auth0.com/docs/security/store-tokens that tokens should not be stored in session storage? – L-Four Dec 22 '19 at 16:24
  • @L-Four Indeed, tokens are better stored in an Http-Only cookie, but I had a quick look over the client package you use and I saw it uses some kind of storage (didn't have enough time to thoroughly search whether it's session or local storage). Try logging into the app and then searching through the app's storage in the dev tools (F12) and see where the auth cookie is actually stored. – Peter Sandor Dec 22 '19 at 19:18