Skip to content

MSAL Browser v4+ might not be persisting sessions on mobile browsers #7935

New issue
New issue
Open
Open
MSAL Browser v4+ might not be persisting sessions on mobile browsers#7935
Labels
Needs: Attention 👋Awaiting response from the MSAL.js teamb2cRelated to Azure B2C library-specific issuesbug-unconfirmedA reported bug that needs to be investigated and confirmedmsal-browserRelated to msal-browser packagepublic-clientIssues regarding PublicClientApplicationsquestionCustomer is asking for a clarification, use case or information.
@vb-software

Description

@vb-software
vb-software
opened on Jul 21, 2025

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.x.x

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

This has come up in other issues/questions and I believe this needs more attention.

Since the introduction of MSAL Browser v4.x, around February 2025, there has been some unintended behavior with regard to persisting user logins.

While I understand the security justification to now encrypt the local storage keys and then place the decryption key in session storage, I have been getting reports in my organization of users having to log in too many times.

These users are using mobile devices (tablet or phone) with a range of Browsers (iOS Safari, iOS Chrome, Android Chrome) and they ARE NOT closing their web browsers.

Yet when they open their app browser to the forefront they are being forced to login only after a few hours.

I believe that browser specific situations are occurring where those browsers will suspend/end sessions EVEN THOUGH the app is in the background.

In my organizations case there is also the potential for user devices changing IP and networks because they are in travel and use our application while travelling from one location to another.

Version 3 would persist user logins since there was no encryption and thus there was no decryption key getting cleared where visiting the app would clear local storage.

It would be great if this issue could get more attention and something can be done to still BE SECURE but also behave in an expected and consistent manner, or otherwise have an option for the requirement of utilizing localStorage keys that can persist across sessions.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

auth: {
		clientId: "xxx",
		authority: b2cPolicies.authorities.signUpSignIn.authority,
		knownAuthorities: [b2cPolicies.authorityDomain],
		postLogoutRedirectUri: "/",
		redirectUri: window.location.origin + "/", // Root path as redirect URI"https://TrussTrax.onmicrosoft.com/api/TrussTrax.Write"
		]
	},
	cache: {
		cacheLocation: "localStorage"
	}

Relevant Code Snippets

NA

Reproduction Steps

Force a scenario on a mobile device, with a browser, where that browser Application might kill a session (due to resources, network change, IP change, etc).

Expected Behavior

Local storage keys should persist between sessions as they did in version 3

Identity Provider

Azure B2C Basic Policy

Browsers Affected (Select all that apply)

Safari
Chrome

Regression

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Needs: Attention 👋Awaiting response from the MSAL.js teamb2cRelated to Azure B2C library-specific issuesbug-unconfirmedA reported bug that needs to be investigated and confirmedmsal-browserRelated to msal-browser packagepublic-clientIssues regarding PublicClientApplicationsquestionCustomer is asking for a clarification, use case or information.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions