Closed ftcaeappno closed 4 months ago
Hello team! Following up this topic, have you had to opportunity to review this ticket?
During login, there are short term cookies being setup which are not tied to the main session and are not invalidated if you logout right away. As a result, if you login then logout shortly after, you will skip the first screen where you enter your credentials and find yourself directly into the allow/deny screen. This issue happens only when using advanced authentication, because the login flow takes place in a ASWebAuthenticationSession. With regular authentication, we use a fresh WebView every time and therefore don't have any left over cookies.
Thank you @wmathurin! How can we use regular authentication instead of advanced? Is this something that needs to be configured on the app or on Salesforce?
Standard authentication is the default. Advanced authentication is the one that requires authentication. More info here.
We are now under a scenario where the advanced authentication is enabled and we would like to use the standard authentication, however we don't know how to do that and we don't know how to revert back from advanced to standard. Can you help us on how to do that?
Hi @wmathurin have you reviewed my last question?
From the doc: "If the org doesn’t use My Domain browser-based authentication or MDM certificate-based auth, Mobile SDK uses standard auth." So to use standard auth, don't use my domain configuration or MDM. Is that an option?
Hello @wmathurin on our app we are using standard authentication (as per doc and My Domain settings) but still app skips the credentials screen and shows directly the allow/deny screen. I guess cookies are still valid after logout and cause this issue. Can you please help us.
Salesforce SDK: 9.2.0 App type: Hybrid Platform: iOS
Hi @wmathurin! Have you had a change to review the latest enquiry by @akshayajeevan?
In your video, what is that custom "login" button wired to do?
Closing for lack of response to our last question.
Hello team!
We are going through a behavior in a hybrid mobile app that we want to avoid, although we are not sure if this is something to be configured/changed on the backend or in the frontend code.
The desired behavior is, once the user logs out the app or when they close, we want them to enter their credentials again for security reasons. However, the observed behavior is, when the user logs out the app, if they click the sign-in button, they are automatically logged in, without the need to enter their credentials again.
If the user closes the app through the recent apps, then they need to add their credentials again, which is expected.
Please see the video attachment with a demonstration of the auto login happening.
Can you please help us with this topic? I appreciate if you could send an answer as soo as you can, since the app is in production and this is pointed as a security vulnerability.
https://user-images.githubusercontent.com/96062035/217264480-08257478-c94c-4452-9b9f-80d96c3a55e3.mp4