JohnH.72971 (Customer) asked a question.
Okta Auth JS SDK - SessionToken verses Okta Session Cookie
I'm trying to use the Okta Auth JS SDK, if an Okta Session is already established in a browser using the oktaAuth.getWithoutPrompt() and if you call the AuthN endpoint to get a sessionToken. If you set the sessionToken in the oktaAuth.getWithoutPrompt() but since the browser has the Okta session cookie stored, if both values are passed which one trumps the other?
When I try to implement this scenario, on the second application calls getWithoutPromt I get an Auth Error about the user not being authorized even though it does. I'm wondering if the second call is not looking at the sessionToken I'm passing in and looking at the session cookie in the header.
Hello John,
For your information, I will include documentation on session cookies and session tokens
https://developer.okta.com/docs/api/resources/sessions
https://developer.okta.com/use_cases/authentication/session_cookie
Given the above mentioned scenario, I believe the session cookie would remain active.
Also during the 2nd call the initial session token would have been exchanged for a cookie and since a session token can only be used once it would of expired.
If you would like to further discuss this issue, please open a support ticket and we'll be happy to help!
Best Regards,
Dan