| area | webapp |
|---|---|
| type | improvement |
When an SSO session is revalidated and the IdP reports it invalid, the user is now sent to the login page with a "Your SSO session expired. Please sign in again." notice instead of seeing a raw sso_session_invalidated 401.
Navigations redirect through /logout (clearing the cookie) to /login?reason=session_expired. Programmatic fetches (Remix fetchers, Electric, etc.) get a 401 carrying an x-sso-session-invalidated marker header that a client-side fetch guard turns into the same logout redirect. EventSource streams, which can't read response headers, probe a new lightweight /resources/session-check endpoint on stream error to trigger the redirect.