search

okta / okta-auth-js

The official js wrapper around Okta's auth API
Other
449 stars 262 forks source link

Okta logout not working properly with multiple users on same browser #1380

Open venkareddyt91 opened 1 year ago

venkareddyt91 commented 1 year ago

Describe the bug?

When user-A logs in to our application using Okta authentication, they are redirected to the account dashboard page with their user information details. When user-A logs out of the application using the authClient.closeSession() function, the session is terminated and the user is logged out.

However, when user-B tries to log in to the same application in the same browser session, they are also redirected to the account dashboard page with user-A's information details, even though they are a different user. This behavior is unexpected and could be a security concern, as user-B is able to view user-A's information.

What is expected to happen?

when user-A logs out of the application using the authClient.closeSession() function, the Okta session should be terminated and all user information should be cleared from the browser's cache. When user-B then logs in to the same application on the same browser, they should be redirected to their own account dashboard with their own user information details.

It's important that the Okta session is properly terminated when a user logs out, to ensure that there is no risk of another user accessing their account or personal information. The authClient.closeSession() function should be sufficient to terminate the session and clear the cache, but if it is not working as expected, it may be necessary to investigate further to determine the cause of the issue.

What is the actual behavior?

the actual behavior is that when user-A logs out of the application using the authClient.closeSession() function, the session is terminated, but the user information is not fully cleared from the browser's cache. When user-B then logs in to the same application on the same browser, they are redirected to the account dashboard page with user-A's information details instead of their own account dashboard.

This suggests that the Okta session is not being properly terminated or cleared from the browser cache, which is resulting in the same session being used for both user-A and user-B. This behavior is unexpected and could be a security concern, as user-B is able to view user-A's information.

Reproduction Steps?

  1. Open a new browser session and navigate to the application login page.
  2. Log in to the application using user-A's credentials.
  3. Verify that you are redirected to the account dashboard page with user-A's information details.
  4. Log out of the application using the authClient.closeSession() function.
  5. Verify that you are redirected to the application login page.
  6. Log in to the application using user-B's credentials.
  7. Verify that you are redirected to the account dashboard page with user-A's information details instead of user-B's information details.

SDK Versions

https://global.oktacdn.com/okta-signin-widget/6.9.0/js/okta-sign-in.min.js

https://global.oktacdn.com/okta-signin-widget/6.9.0/css/okta-sign-in.min.css

Execution Environment

Google Chrome Version 109.0.5414.120

Additional Information?

No response

denysoblohin-okta commented 1 year ago

Thanks for submitting this issue. Couple of questions to clarify:

  1. Do you use sign-in widget hosted on your server for user sign-in, or Okta-hosted sign-in widget (redirect flow)? If first one, do you use oktaSignIn.showSignIn?
  2. When you call closeSession(), do you see a successful request to DELETE /api/v1/sessions/me in Network tab of Dev tools? Do you wait for promise returned by closeSession() before page reload (if you do page reload on sign out)? If you call authClient.session.get() after logging out, do you see a valid session returned? If you call authClient.tokenManager.getTokens() after logging out, do you see any tokens?
  3. Do you use proxy for issuer?
  4. Could you please post your code you use for sign-in and sign out?