Guides

Session Management - Single Page App

Learn how to manage sessions with an SPA.

Suggest Edits

Managing Sessions With an SPA

For SPAs, session information, including the user's access token and refresh token, is stored locally in the browser. As long as the access token is valid and hasn't expired, then the user should be considered to have an active session. If the access token expires and a valid refresh token is available, then the refresh token can be used to retrieve a new access token without having the user re-authenticate. Note, for SPAs, refresh token rotation should be used, so when the access token is refreshed, a new refresh token is generated in addition to the new access token.

There are multiple locations within the browser where tokens can be stored. Each storage location, though, has its own tradeoffs. For instance, storing the tokens in-memory makes it harder for malicious JavaScript to extract the tokens; however, if the page is refreshed, then the in-memory content is lost, and the user will be forced to re-authenticate. In comparison, storing the tokens in the browser's session or local storage will allow them to persist across page changes, but it also makes them easier to extract by malicious JavaScript. For a detailed description of the different token storage options available in the browser, please see the Token Storage in the Browser section from the OAuth 2.0 for Browser-Based Apps BCP.

Ending Sessions on Logout

When an authenticated user logs out of your application, the application must ensure that all sessions and their corresponding tokens are revoked.

Deleting Client-Side Session State

When a user logs out, the SPA must delete any session data stored within the browser. For example, if the session data was being stored in local storage, then the application must delete the session data from local storage during the logout process.

Revoking the Refresh Token

If the session has a refresh token associated with it, then the application should call the Wristband Revoke Token API to revoke the refresh token.

Deleting the Wristband Authentication Session

Lastly, the application should redirect to the Wristband Logout API, which will cause the Wristband authentication session to be deleted.

Updated 2 days ago