How to check if a session is valid in web app back end? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xzogqag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Scott DennyScott Denny 

How to check if a session is valid in web app back end?

I use the Okta signin widget to log a user in and get the ACTIVE session id from the widget. Then I send the sessionId to my back end, with the expectation that it will GET /api/v1/sessions/{{sessionId}} and check that it is an ACTIVE session and that the logins match (so that a user can't pretend to be someone else if they happen to have a sessionId). Unfortunately, MFA_REQUIRED is returned as the status, even though it's an admin API operation. I don't get how I can simply GET a session based on its ID. It seems like it should be simple, especially since it's an admin operation. The same sessionId in the same org should not have different results on different servers.

If there is no way to verify that a session is active with just that API request, is there another way to verify it in the back end that only depends on the sign-in widget and read-only API operations?
Costel CurcaCostel Curca (Okta, Inc.)
The sign-in widget doesn't expose sessionId to outside world but you can check if the session is activeby using https://github.com/okta/okta-signin-widget#sessiongetcallback 
For more information please open a ticket with Okta support.
Scott DennyScott Denny
I am already using the sign-in widget to get the session ID. It is available in the response from the call you mentioned. My question is why that session ID, in the admin get session endpoint, says MFA_REQUIRED, when there is no way for an admin to do MFA on behalf of a random user.