DaniilM.93946 (Customer) asked a question.
The issue that we are having is that during PenTest we got a vulnerability reported where if logged in with account A, logged out and immediately logged in with account B, the user would see profile information for account A, meaning that somewhere the cookie would persist with a previous account.
While we weren't able to replicate the same issue, what we found is that we could replicate the same issue by logging in with account A on local dev machine, then going to deployed dev environment and when logged in with account B on deployed dev, it'd show the profile information for account A.
We are using same Oktapreview.com account for local/dev and stage, however, the expectation would be that if I log in to a different account, I shouldn't be logged in as a previous user.
Here is our Okta config:
```
const oktaSignInConfig = {
baseUrl: `https://${REACT_APP_OKTA_DOMAIN}`,
clientId: `${REACT_APP_OKTA_CLIENT_ID}`,
redirectUri: window.location.origin + '/',
authParams: {
scopes: ['openid', 'email', 'groups', 'profile', 'offline_access'],
// If your app is configured to use the Implicit flow
// instead of the Authorization Code with Proof of Code Key Exchange (PKCE)
// you will need to uncomment the below line
// pkce: false
},
useClassicEngine: true,
features: {
showPasswordToggleOnSignInPage: true,
},
};
```
We are using an instance of `OktaSignIn` from `@okta/okta-signin-widget` with onSuccess function looking as following:
```
const onSuccess = (res: RenderResult) => {
if (res.status === 'SUCCESS') {
const result = res as RenderResultSuccessOIDC;
oktaAuth.handleLoginRedirect(result.tokens);
}
};
```
The logout function looks as following:
```
const doFullLogout = async () => {
await oktaAuth.tokenManager.clear();
await oktaAuth.signOut({
clearTokensBeforeRedirect: true,
revokeAccessToken: true,
revokeRefreshToken: true,
postLogoutRedirectUri: window.location.origin,
});
};
```
We tried switching to useClassicEngine: false and changing onSuccess to:
```
await oktaAuth.tokenManager.setTokens({
accessToken: res.accessToken,
idToken: res.idToken,
refreshToken: res.refreshToken, // if offline_access scope requested
});
oktaAuth.authStateManager.updateAuthState();
```
but the same issue persists.
Is there a way to ensure that every log in ensures that the new identity is checked and a correct token is issued, instead of being reused?
Hello @DaniilM.93946 (Customer) , thank you for contacting Okta Community!
I've reviewed our documentation for something relevant. It looks like your question is more appropriate for our dedicated Okta Developer Forum. I advise reaching out via devforum.okta.com as they will have more insight into this topic.
While we'll do our best to answer your questions here, this medium is more inclined towards Okta's core products and features (non-developer work).
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
This month's AMA topic: Okta Device Access. Ask away today.