Open venkareddyt91 opened 1 year ago
Thanks for submitting this issue. Couple of questions to clarify:
oktaSignIn.showSignIn
?closeSession()
, do you see a successful request to DELETE /api/v1/sessions/me
in Network tab of Dev tools? Do you wait for promise returned by closeSession()
before page reload (if you do page reload on sign out)? If you call authClient.session.get()
after logging out, do you see a valid session returned? If you call authClient.tokenManager.getTokens()
after logging out, do you see any tokens?
Describe the bug?
When user-A logs in to our application using Okta authentication, they are redirected to the account dashboard page with their user information details. When user-A logs out of the application using the authClient.closeSession() function, the session is terminated and the user is logged out.
However, when user-B tries to log in to the same application in the same browser session, they are also redirected to the account dashboard page with user-A's information details, even though they are a different user. This behavior is unexpected and could be a security concern, as user-B is able to view user-A's information.
What is expected to happen?
when user-A logs out of the application using the authClient.closeSession() function, the Okta session should be terminated and all user information should be cleared from the browser's cache. When user-B then logs in to the same application on the same browser, they should be redirected to their own account dashboard with their own user information details.
It's important that the Okta session is properly terminated when a user logs out, to ensure that there is no risk of another user accessing their account or personal information. The authClient.closeSession() function should be sufficient to terminate the session and clear the cache, but if it is not working as expected, it may be necessary to investigate further to determine the cause of the issue.
What is the actual behavior?
the actual behavior is that when user-A logs out of the application using the authClient.closeSession() function, the session is terminated, but the user information is not fully cleared from the browser's cache. When user-B then logs in to the same application on the same browser, they are redirected to the account dashboard page with user-A's information details instead of their own account dashboard.
This suggests that the Okta session is not being properly terminated or cleared from the browser cache, which is resulting in the same session being used for both user-A and user-B. This behavior is unexpected and could be a security concern, as user-B is able to view user-A's information.
Reproduction Steps?
SDK Versions
https://global.oktacdn.com/okta-signin-widget/6.9.0/js/okta-sign-in.min.js
https://global.oktacdn.com/okta-signin-widget/6.9.0/css/okta-sign-in.min.css
Execution Environment
Google Chrome Version 109.0.5414.120
Additional Information?
No response