@W-20173671/@W-20005462: [Android] Extra session on logout/add account when upgrading from Mobile SDK 12 to 13/[Android] Toggle for clearCookies after login (#2806)

JohnsonEricAtSalesforce · web-flow · commit b44f65c7f2be · 2025-12-23T11:27:22.000-07:00
* @W-20173671: [Android] Extra session on logout/add account when upgrading from Mobile SDK 12 to 13

* @W-20005462: [Android] Toggle for clearCookies after login

* @W-20005462: [Android] Toggle for clearCookies after login (Code Review Updates)
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/app/SalesforceSDKManager.kt b/libs/SalesforceSDK/src/com/salesforce/androidsdk/app/SalesforceSDKManager.kt
@@ -149,7 +149,6 @@ import kotlinx.coroutines.Dispatchers.Main
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withTimeoutOrNull
 import okhttp3.HttpUrl.Companion.toHttpUrlOrNull
-import org.jetbrains.annotations.Debug
 import java.lang.String.CASE_INSENSITIVE_ORDER
 import java.net.URI
 import java.util.Locale.US
@@ -336,6 +335,15 @@ open class SalesforceSDKManager protected constructor(
      */
     var additionalOauthKeys: List<String>? = null
 
+    /**
+     * Determines if the authentication web view's cookies will be cleared after
+     * authentication.  The default behavior is true to protect against re-use
+     * of authentication related cookies and duplication authentication action.
+     * Only apps the specifically require persistent cookies should set this to
+     * false.
+     */
+    var clearCookiesAfterLogin = true
+
     /**
      * The login brand. In the following example, "<brand>" should be set here.
      * https://community.force.com/services/oauth2/authorize/<brand>?response_type=code&...
@@ -829,9 +837,6 @@ open class SalesforceSDKManager protected constructor(
      */
     private fun startSwitcherActivityIfRequired() {
 
-        // Clear cookies
-        CookieManager.getInstance().removeAllCookies(null)
-
         /*
          * If the number of accounts remaining is 0, show the login page.
          *
@@ -1106,6 +1111,10 @@ open class SalesforceSDKManager protected constructor(
         )
         clientMgr.removeAccount(account)
         isLoggingOut = false
+
+        // Clear cookies to ensure those used during previous log in will not be re-used to log the user in again.
+        CookieManager.getInstance().removeAllCookies(null)
+
         notifyLogoutComplete(showLoginPage, logoutReason, userAccount)
 
         // Revoke the existing refresh token
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginViewModel.kt b/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginViewModel.kt
@@ -318,9 +318,10 @@ open class LoginViewModel(val bootConfig: BootConfig) : ViewModel() {
         onAuthFlowError: (error: String, errorDesc: String?, e: Throwable?) -> Unit,
         onAuthFlowSuccess: (userAccount: UserAccount) -> Unit,
     ) {
-        // Clear cookies when we finish auth to prevent automatic re-login
-        // if the user tries to add another user right away.
-        clearCookies()
+        // Clear cookies after successful authentication to prevent automatic re-login if the user tries to add another user right away.
+        if (SalesforceSDKManager.getInstance().clearCookiesAfterLogin) {
+            clearCookies()
+        }
         authCodeForJwtFlow = null
         onAuthFlowComplete(
             tokenResponse = tr,
