Set-Login
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The Set-Login response header is sent by a federated identity provider (IdP) to set its login status — by this, we mean "whether any users are logged into the IdP on the current browser or not". This is stored by the browser and used by the FedCM API to reduce the number of requests it makes to the IdP (because it does not need to waste time requesting accounts when there are no users logged in to the IdP). It also mitigates potential timing attacks.
The header may be set on any response resulting from a top-level navigation or a same-origin subresource request on the IdP's origin site — basically, any interaction with the IdP site may result in this header being set, and the login status being stored by the browser.
See Update login status using the Login Status API for more information about FedCM login status.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Syntax
Set-Login: status
Directives
status-
A string representing the login status to set for the IdP. Possible values are:
"logged-in": The IdP has at least one user account signed in."logged-out": All IdP user accounts are currently signed out.
Note: Browsers should ignore this header if it contains any other value.
Examples
Set-Login: logged-in
Set-Login: logged-out
Specifications
| Specification |
|---|
| Federated Credential Management API # login-status-http |
Browser compatibility
BCD tables only load in the browser