Auth0 is breaking sessions (cache or cookies)

[seranca]

Checklist

• I have looked into the Readme and the documentation, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When the Auth0 plugin is active alongside WooCommerce or Elementor plugins, several critical issues arise:

1. Users Can't Log Out: Users are unable to log out successfully.
2. WooCommerce Functionality: The WooCommerce plugin does not function correctly.
3. Elementor Page Editing: Pages cannot be edited using Elementor.
4. Deactivating Plugins: When attempting to deactivate any plugin via the front end, the message "The link you followed has expired" is displayed.

Suspected Cause:

I have pinpointed the issue to the interaction between these plugins. I believe the problem is due to how these plugins manage sessions and cookies.

Reproduction

1. Activate the Auth0 pluginv (and add, Client ID, Client Secret & Domain).
2. Add a auth0_cookies[secret] WP-admin Auth0>Advanced > Session Cookies > Secret. Because it is requiered and won't allow to "Enable Authentication"
3. Activate the WooCommerce plugin and/or the Elementor plugin.
4. Attempt to log out a user. (after login out go to wp-admin)
5. Try to use WooCommerce functionalities.
6. Try to edit a page using Elementor.
7. Attempt to deactivate any plugin via the front end.

Additional context

This issue might be related to a known problem: v5.2 nonce/cookie issue causing repeated logouts #895.

wp-auth0 version

5.2.0

WordPress version

6.5.3

PHP version

8.2.13

[seranca]

More Context:
I have linked my accounts for Elementor and WooCommerce. This involves establishing a connection from my website to their respective platforms through my account credentials.

[seranca]

Digging on the problem, it seems that Wordpres Nonces Expires when any of these plugins are active. ("rest_cookie_invalid_nonce")

Current garbage collector config (php.ini)
session.gc_probability = 1
session.gc_maxlifetime = 1440
session.gc_divisor = 100

I noticed that when Auth0 plugin is not active, it makes a request to /wp-admin/admin-ajax.php?action=rest-nonce but when Aut0 is active it doesn't

[seranca]

As @evansims suggested on v5.2 nonce/cookie issue causing repeated logouts #895.

I believe the issue stems from rolling sessions enablement and changes in WP 6.5, which significantly increased the number of concurrent async calls to the backend API while inside the admin dashboard, especially the editor view.

Essentially, for rolling sessions to work, we have to "refresh" the WP authentication cookie to extend its expiration time. In previous WP versions, refreshing this cookie on each request worked fine — but due to the increased number of async backend API calls introduced in 6.5, you can now encounter a race condition where a backend request "refreshes" the authentication cookie's session ID (invalidating the previous one) before another already-in-flight request is resolved, causing it to fail. Subsequently, this results in an authentication state conflict, and for security reasons, WP invalidates all those sessions — forcing you to log back in.

This problem indeed is caused by rolling sessions and a rece condition between async functions.

For me, trying the development 5.x branch wouldn't solve my issues because, even though the development branch has throttled the cookie refresh, using third-party plugins still breaks the session. I suggest implementing a middleware approach to handle the session refresh.

[evansims]

Duplicate of #895

We cannot provide special allowances or support for unrelated third-party plugins. The expectation is that the Auth0 plugin is solely responsible for handling the authentication state, and we cannot realistically make adjustments for plugins that may manipulate the state in incompatible ways.