The issue that we are having is that during PenTest we got a vulnerability reported where if logged in with account A, logged out and immediately logged in with account B, the user would see profile information for account A, meaning that somewhere the cookie would persist with a previous account.
While we weren’t able to replicate the same issue with a single environment, what we found is that we could replicate the same issue by logging in with account A on local dev machine, then going to deployed dev environment and after being logged in with account B on deployed dev, it’d show the profile information for account A.
We are using same Oktapreview.com account for local/dev and stage, however, the expectation would be that if I log in to a different account, I shouldn’t be logged in as a previous user.
Here is our Okta config:
const oktaSignInConfig = {
baseUrl: `[https://${REACT_APP_OKTA_DOMAIN}](https://${react_app_okta_domain}/)`,
clientId: `${REACT_APP_OKTA_CLIENT_ID}`,
redirectUri: window.location.origin + '/',
authParams: {
scopes: ['openid', 'email', 'groups', 'profile', 'offline_access'],
// If your app is configured to use the Implicit flow
// instead of the Authorization Code with Proof of Code Key Exchange (PKCE)
// you will need to uncomment the below line
// pkce: false
},
useClassicEngine: true,
features: {
showPasswordToggleOnSignInPage: true,
},
};
We are using an instance of OktaSignIn from @okta/okta-signin-widget with onSuccess function looking as following:
const onSuccess = (res: RenderResult) => {
if (res.status === 'SUCCESS') {
const result = res as RenderResultSuccessOIDC;
oktaAuth.handleLoginRedirect(result.tokens);
}
};
The logout function looks as following:
const doFullLogout = async () => {
await oktaAuth.tokenManager.clear();
await oktaAuth.signOut({
clearTokensBeforeRedirect: true,
revokeAccessToken: true,
revokeRefreshToken: true,
postLogoutRedirectUri: window.location.origin,
});
};
We tried switching to useClassicEngine: false and changing onSuccess to:
await oktaAuth.tokenManager.setTokens({
accessToken: res.accessToken,
idToken: res.idToken,
refreshToken: res.refreshToken, // if offline_access scope requested
});
oktaAuth.authStateManager.updateAuthState();
but the same issue persists.
Is there a way to ensure that every log in ensures that the new identity is checked and a correct token is issued, instead of being reused?