native app session cookie

testuser7 271 Reputation points
2020-07-16T20:30:00.1+00:00

Hello,

I have one point to discuss with respect to non-persistent session-cookie.

We know that when a browser is closed, the non-persistent cookies are destroyed so the session is no longer available.
Default lifetime is 24 hours for Non-persistent cookie.

What happens when user is working on mobile-app which opens a Chrome-custom-tab, authenticates the user and control comes back to the mobile app.
We know that Custom Tabs share a cookie jar with the default system browser enabling fewer sign-ins with native apps that have integrated with Custom Tabs.
But in order to take benefit of such cookie, that browser has to be up as it is non-persistence cookie.
Once the custom tab disappears and control comes back to the native app, would the non-persistence AAD cookie still available to be used with other mobile app to achieve SSO ?

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,439 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,556 Reputation points
    2020-07-20T07:57:09.163+00:00

    Hello @testuser7-8288

    As per this documentation, since Azure AD saves the same identity cookie in the browser as it does for web apps, if the native or mobile app uses the system browser it will immediately get SSO with the corresponding web app. If you are using MSAL (Microsoft Authentication Library), by default your application would use the system browser.

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

  2. AmanpreetSingh-MSFT 56,556 Reputation points
    2020-07-21T07:20:19.42+00:00

    Hello @testuser7 ,

    Session cookies are dropped to web browsers in case of web apps only. For Native/Mobile apps, session cookies are not dropped to web browsers. Now, if have web apps and session cookies are stored in browser, native/mobile apps can leverage those cookies and you will get SSO experience.

    If you don't have any web apps and you have only signed-in to NativeApp1, while signing-in to NativeApp2 you won't get SSO experience as there won't be any session cookie available.

    Please refer to the flow diagrams for better understanding:

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    0 comments
  3. testuser7 271 Reputation points
    2020-07-22T14:11:03.86+00:00

    thanks. Let me look into it.

    0 comments
  4. testuser7 271 Reputation points
    2020-11-18T18:16:34.447+00:00

    Hi @AmanpreetSingh-MSFT

    I think what you writing above is NOT matching with the two diagram links.
    If you look closely in the second diagram of "Native/Mobile app sign-in flow", Azure-AD indeed drop the cookie in the browser.

    That's why I was asking,
    Can persistent-session cookie be used during sign-frequency violation ?

    Thanks.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.