sessionToken is ignored if okta cookies are present

Sorbitol · July 20, 2020, 10:02pm

We are building a app with an embedded webview (browser under the covers)

We submit a username and password to the authn endpoint to get back a sessionToken.
(Work with Okta session cookies | Okta Developer)

We pass that session token to a few different embed links (which are saml2 endpoints)
However, we’ve started using different user name and passwords on a few and now
the sites that don’t share credentials no longer work after you’ve visited the first ones

Specifically, we are denied access to sites after the first site because the authentication mechanism
is ignoring our session token and looking at the data from the previous sites which have various Okta cookies like DT and sid and sessiontoken.

While we can clear our cookies prior to each request, we lose the benefit of the cached items like images, html etc.

Is there a configuration so the queryparam sessiontoken is examined first prior to cookies sent with the request. ?

dragos · July 20, 2020, 11:28pm

Hi @Sorbitol

The sessionToken can be used only once and in the first 5 minutes since it was created to establish a valid connection in the browser window/webview.

The best solution would be to establish the connection to Okta behind the scenes and then use session refresh to refresh the session in Okta while the user is active inside the application. During this time, the user will be able to successfully access any SAML applications by visiting the embed URL.

system · April 25, 2022, 5:02pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.