Hi, our team has an app that uses the okta-auth-js sdk to login a user. We’re wondering what cleanup procedures we should follow ahead of starting a new login. For example, if two users share a computer and their Okta session still is valid (sessions/me) and/or they have tokens or transactions in the browser cookies, localStorage, shared-storage, or sessionStorage, do we need to remove them all?
As of now I’m thinking of the following possibilities.
const auth = new OktaAuth({...})
// might be good to do if existing session causes issues.
// Coincidentally this also clears token storage.
auth.closeSession()
// may not be necessary but uses the OktaAuth event emitter to emit
// token removal events in addition to the same thing that
// auth.storageManager.getTokenStorage.clearStorage() does
auth.tokenManager.clear()
// equivalent to auth.storageManager.getTransactionStorage.clearStorage()
// clearSharedStorage: true only clears the current saved
// transaction from sharedStorage
// notably this doesn't seem to allow passing of clearIdxResponse: true
// hence we make a separate call for that below
auth.transactionManager.clear({clearSharedStorage: true})
// this allows you to clear the entire sharedTransactionStorage
// instead of just the current saved transaction
const storageManager = auth.storageManager
storageManager?.getSharedTransactionStorage()?.clearStorage()
storageManager?.getHttpCache()?.clearStorage()
// originalUri only seems to be set in some flows, e.g. signInWithRedirect(),
// could use some more clarity on whether we need to clear this ever
storageManager?.getOriginalUriStorage()?.clearStorage()
// you can clear the sneaky IdxResponseStorage with clearIdxResponse: true
storageManager?.getTransactionStorage()?.clearStorage({clearIdxResponse: true})