-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bot detection prevents login in some cases #604
Comments
Hi Morgan 👋 , apologies for missing this one. I couldn't find any reference to "Session is too old, login required" on our side. Given that this is a recently added feature it might be that it wasn't documented yet on the auth0 docs. Are you still running into this issue? If so, let me know and I'll try to reproduce later and raise it with the corresponding team. |
Hey @lbalmaceda! I think the error in this case could be anything, really. When we get a fatal error after pulling the current user session I would expect that the user could attempt to re-login afterwards. The current flow just locks the user out of logging in until they clear their web session. We shared these issues with the support team. Because of this and another related error, we decided to clear the current user's session before launching login w/CAPTCHA by using |
Thanks for the additional details 😊 Do you mind sharing the support tickets or any other reference you have, so I can find more context locally? I want to ensure this is how the Bot Detection feature is supposed to work in this scenario or raise a bit more visibility otherwise. |
This was the support ticket: https://support.auth0.com/tickets/00474936. We didn't continue to work with support since we came up with our own solution. In our meeting with the support team we spoke with Anna Franceschelli, Noel Thompson, and Ian Hassard. Ideally we would like to see:
Ian mentioned that using the native SDK for Google's reCAPTCHA was not supported due to security concerns. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇♂️ |
Describe the problem
After enabling bot detection in dev and testing the behavior, I am able to get into a scenario where I continually receive this error message when trying to login: "Session is too old, login required". Repeated attempts to login show the same error message. I am not sure if this is due to my test set up or if it is an actual issue.
What was the expected behavior?
Login with bot detection enabled should show the universal login page with a CAPTCHA challenge.
Reproduction
The set up for this is a bit involved:
BadBadUserAgent
to trigger bot detection (I do this with Charles Proxy)Session is too old, login required
. All login attempts failEnvironment
Lock.Android v2.23.0
Auth0.Android v2.29.0
The text was updated successfully, but these errors were encountered: