Clear session when browser is closed

We are authenticating user login to the application thru React JS → AWS Cognito → Okta by SAML based.
When user closes the browser, session is not getting killed and if he reopens the browser, he can login directly to the application without providing username and password.
We have set in Okta, Security->Authentication->SignOn,
Maximum Okta session lifetime: 15 minutes
Expire session after user has been idle on Okta for : 15 minutes
Persist session cookies across browser sessions: Disable

Please suggest how to make user login again, when he reopens the browser.

Hi @premkumarsp are you also revoking their access token via the /revoke endpoint. See Revoke Tokens | Okta Developer and How do I kill a Session on Demand? - #6 by andrea.

We are not revoking their access token during log out.
In this case, user does not log out. He accidentally closed the browser.

And also, while logging to the application again (he did not enter any credentials), AWS cognito refresh token is valid and it takes him in successfully.

@premkumarsp can you tell me more about your browser settings i.e. is it set to clear cache/cookies on close? Here is a similar post React signin widget NOT logging out when browser / tab is closed - #3 by andrea.

1 Like

Browser setting - We are not clearing cache/cookies when the browser is closed.
We have the same case you added in the link.

We are not calling v1/logout or delete v1/sessions/me as we are using AWS Cognito as Service provider and Okta as Id provider. We are calling awsDomain/logout, which calls okta logout and signs out the user.

Hi @premkumarsp what storage type are you using?

If you use the session storage, closing a tab/window should end the session and clear objects in sessionStorage.

1 Like

Hi @Regis we are using AWS Cognito as Service Provider and OKTA as Id provider.
Cognito by default uses localstorage to store the session details and cookies.

How to make the cookie storage as “sessionStorage” ?

Are you able to pass window.sessionStorage into your auth configuration?

Auth.configure({ storage: window.sessionStorage })

1 Like

@Regis This helped us to solve the problem. Thanks.
One more: how oktaStateToken is set? How to change its validity time?