Describe the problem you'd like to have solved

Apologies for the naive question - most probably a follow-up of this one:

#393

We are using the express-openid-connect on our SPA implementation (NextJS).
What is currently happening is that

• We have implemented the routes
• The user tries to log in - it is redirected to Auth0 and is authenticated - we can see an Auth0 session being created
• Then we set to our client the appSession Cookie.

What we don't do though is that we don't back this appSession cookie with a session store (e.g a redis store).

The problem

We have a fairly large expiration date on the appSession cookie - so potentially someone can

• Login
• Get the value of the Session Cookie (copy it)
• Logout (the auth0 Session is terminated)
• Then open a new tab or new browser - set the appSession cookie and is value - and then the application will consider them logged in.

As you have stated in the previous question - the appSession cookie has nothing to do with the auth0 session.
And in our code - when we receive the appSession cookie we use the built methods e.g isAuthenticated but these methods do not do any calls back to Auth0 to validate that we are logged in.

We are trying to decide if the only solution on the above problem - is to actually add an ID - to the appSession cookie and save it on an external Store - e.g Redis and when we do the logout - route -we clean the ID from the store so that we invalidate indirectly the appSession cookie.

Alternatively, is there any way we could make use of the appSession cookie and the methods req.oidc.xxx so that we make an extra call to Auth0 every time we check the cookie to correlate it with the session Id? It seems that Auth0 does not offer this capability e.g a Session API.

Thanks for your time.

Hi @javapapo - thanks for raising this

You can back the session with a session store by providing an express-session compatible store to the session.store config option. There's an example using Redis here https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#9-use-a-custom-session-store

Then open a new tab or new browser - set the appSession cookie and is value - and then the application will consider them logged in.

Using a stateful session will resolve this issue ☝️

we use the built methods e.g isAuthenticated but these methods do not do any calls back to Auth0 to validate that we are logged in.

But it wont necessarily solve this issue ☝️ - I have a couple of suggestions for this if just having a stateful session isn't enough

@adamjmcgrath thanks again for your replies. We are exploring the Redis - route at the time being.

In regards to the isAuthenticated challenge what would be your suggestions? silent login?

In regards to the isAuthenticated challenge what would be your suggestions? silent login?

Yep, exactly. The other option is Back-Channel Logout, which is being added to auth0 and this SDK next quarter (if you can get your tenant enabled for the private beta you can try using it with this branch https://github.com/auth0/express-openid-connect/blob/back-channel-logout/BACK_CHANNEL_LOGOUT.md)

Many thanks @adamjmcgrath - we will follow up with our Auth0 Support to be added on the beta - and we will be eager to see this feature baked in on the official release of this lib!

We want to thank you again for the feedback provided.