You can specify how the Authentication state persists when using the FirebaseJS SDK. This includes the ability to specify whether a signed in user shouldbe indefinitely persisted until explicit sign out, cleared when the window isclosed or cleared on page reload.

For a web application, the default behavior is to persist a user's session evenafter the user closes the browser. This is convenient as the user is notrequired to continuously sign-in every time the web page is visited on the samedevice. This could require the user having to re-enter their password, send anSMS verification, etc, which could add a lot of friction to the user experience.

However, there are cases where this behavior may not be ideal:

• Applications with sensitive data may want to clear the state when the windowor tab is closed. This is important in case the user forgets to sign out.
• Applications that are used on a device shared by multiple users. A commonexample here is an app running in a library computer.
• An application on a shared device that might be accessed by multiple users.The developer is unable to tell how that application is accessed and may wantto provide a user with the ability to choose whether to persist their sessionor not. This could be done by adding a "Remember me" option during sign-in.
• In some situations, a developer may want to not persist an anonymous useruntil that user is upgraded to a non-anonymous account (federated, password,phone, etc.).
• A developer may want to allow different users to sign in to an applicationon different tabs. The default behavior is to persist the state across tabsfor the same origin.

As stated above, there are multiple situations where the default permanentpersistence may need to be overridden.

Supported types of Auth state persistence

You can choose one of three types of Auth state persistence on a specifiedFirebase Auth instance based on your application or user's requirements.

Modifying the Auth state persistence

You can specify or modify the existing type of persistence by calling thefirebase.auth().setPersistence method:

import{getAuth,setPersistence,signInWithEmailAndPassword,browserSessionPersistence}from"firebase/auth";constauth=getAuth();setPersistence(auth,browserSessionPersistence).then(()=>{// Existing and future Auth states are now persisted in the current// session only. Closing the window would clear any existing state even// if a user forgets to sign out.// ...// New sign-in will be persisted with session persistence.returnsignInWithEmailAndPassword(auth,email,password);}).catch((error)=>{// Handle Errors here.consterrorCode=error.code;consterrorMessage=error.message;});
auth_set_persistence_session.js

firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION).then(()=>{// Existing and future Auth states are now persisted in the current// session only. Closing the window would clear any existing state even// if a user forgets to sign out.// ...// New sign-in will be persisted with session persistence.returnfirebase.auth().signInWithEmailAndPassword(email,password);}).catch((error)=>{// Handle Errors here.varerrorCode=error.code;varerrorMessage=error.message;});
auth-state-persistence.js

This will change the type of persistence on the specified Auth instancefor the currently saved Auth session and apply this type of persistence forfuture sign-in requests, including sign-in with redirect requests. This willreturn a promise that will resolve once the state finishes copying from onetype of storage to the other.Calling a sign-in method after changing persistence will wait for thatpersistence change to complete before applying it on the new Auth state.

The default for web browser and React Native apps islocal (provided thebrowser supports this storage mechanism, eg. 3rd party cookies/data are enabled)whereas it isnone for Node.js backend apps.

Overview of persistence behavior

The following criteria will be applied when determining the current state ofpersistence.

• Initially, the SDK will check if an authenticated user exists. UnlesssetPersistence is called, that user's current persistence type will beapplied for future sign-in attempts. So if that user was persisted insession on a previous web page and a new page was visited,signing in again with a different user will result in that user's state beingalso saved withsession persistence.
• If no user is signed in and no persistence is specified, the default settingwill be applied (local in a browser app).
• If no user is signed in and a new type of persistence is set, any futuresign-in attempt will use that type of persistence.
• If the user is signed in and persistence type is modified, that existingsigned in user will change persistence to the new one. All future sign-inattempts will use that new persistence.

• When signInWithRedirect is called, the current persistence type is retainedand applied at the end of the OAuth flow to the newly signed in user, even ifthe persistence wasnone.If the persistence is explicitly specified on that page, it will override theretained auth state persistence from the previous page that started theredirect flow.

  Web

  import{getAuth,setPersistence,signInWithRedirect,inMemoryPersistence,GoogleAuthProvider}from"firebase/auth";constauth=getAuth();setPersistence(auth,inMemoryPersistence).then(()=>{constprovider=newGoogleAuthProvider();// In memory persistence will be applied to the signed in Google user// even though the persistence was set to 'none' and a page redirect// occurred.returnsignInWithRedirect(auth,provider);}).catch((error)=>{// Handle Errors here.consterrorCode=error.code;consterrorMessage=error.message;});
  auth_set_persistence_none.js

  Web

  firebase.auth().setPersistence(firebase.auth.Auth.Persistence.NONE).then(()=>{varprovider=newfirebase.auth.GoogleAuthProvider();// In memory persistence will be applied to the signed in Google user// even though the persistence was set to 'none' and a page redirect// occurred.returnfirebase.auth().signInWithRedirect(provider);}).catch((error)=>{// Handle Errors here.varerrorCode=error.code;varerrorMessage=error.message;});
  auth-state-persistence.js

Expected behavior across browser tabs

The following expected behavior will apply when different persistence types areused in different tabs. The requirement is that at any point, there should neverbe multiple types of saved states at the same time (eg. auth state saved insession andlocal types of storage):

• Users can sign in usingsession ornone persistence with different userson multiple tabs. Each tab cannot see the state of the other tab.
• Any attempt to sign in usinglocal persistence will be detected andsynchronized on all tabs. If the user was previously signed in on a specifictab usingsession ornone persistence, that state will be cleared.
• If the user was previously signed in usinglocal persistence with multipletabs opened and then switches tonone orsession persistence in one tab,the state of that tab will be modified with the user persisted insession ornone and on all other tabs, the user will be signed out.