/authorize
endpoint, from Auth0)As the result, two sessions are created:
<aside> 💡 The same proccess is done when user logs in with an identity provider, but we are going to have one step where the identity provider will create its own session and reply to Auth0 (still, our communication with Auth0 - and our session - will work the same way).
</aside>
[1] https://auth0.com/docs/manage-users/sessions
<aside> 💡 Previously in Auth0, the samesite cookie attribute options were true, false, strict or lax. If you didn't set the attribute manually, Auth0 would use the default value of false. Effective February 2020, Google Chrome v80 changed the way it handles cookies. To that end, Auth0 implemented the following changes to how it handles cookies:
samesite
attribute set will be set to lax
sameSite=none
must be secured, otherwise they cannot be saved in the browser's cookie jarThe goal of these changes are to improve security and help mitigate CSRF attacks.
</aside>
Cookie-based authentication is implemented by each web platform differently, but at the end of the day, they all end up setting some cookie (tied to a session on the server) which represents the authenticated user. On each request, that cookie is sent and the session is deserialized from some store (in memory if it's a single server or some persistent storage if it's a server farm). We provide SDKs for most of the platforms that will tie into the corresponding authentication subsystem (such as passport on node, IPrincipal on .NET or Java, and so on).
When you build an application that requires authentication, you can use sessions and cookies to determine if a user is authenticated each time a request is made. To do this, you can choose to use either stateful or stateless cookies.