Last month we started getting reports about sessions not being extended and we noticed that this endpoint is no longer working as expected for us:
/api/v1/sessions/me/lifecycle/refresh
This used to work just fine, but now we constantly get a 200 OK result and an extended expiration time until we get a 404 exactly 20 minutes (our timeout is set to that value) after the session is created.
This is the function that we use to extend the session:
function refreshSession(oktaUrl)
{ $.ajax({ type: “POST”,
url: ‘…’,
accept: “application/json”,
contentType: “application/json”,
crossDomain: true,
xhrFields: { withCredentials: true },
success: function (response)
{ //do nothing },
error: function (xhr, status, error)
{ //kick the user out here } });
}
Any idea about what could have change to break this?
It seems to be working fine to me? I set my Okta session to 5 mins via the sign-on policy. I make a request to /api/v1/sessions/me/lifecycle/refresh and I can see the expiresAt time has been extended. Wait another 4 mins and the request is successful. Are you making sure to extend the session before it expires?
Yes, I am making the request before the session expires. Forgot to mention that this works fine for me too if I run the function from the console at okta’s dashboard (same domain) but is not working when doing the same from our app. domain (and yes, the domain is withelisted).
Maybe this worked for you because you tested from the same domain?
Thanks again. No, third-party cookies are not blocked in any of the browsers that we are supporting (edge, chrome, firefox). What is very strange about this issue is that we are getting a 200 Ok result and an updated exp time, that is not actually extended in practice at okta’s end.
Yesterday we were able to found a workaround by redirecting the user to another web application that’s also secured with okta, but it’s built with aps.net core instead of classic asp.net.
Wonder if the cookies set at the app domain level are not being refreshed using the classic asp.net okta sdk.