improved

Session Not Found Checks

There had been more instances of Session Not Found pages showing up when returning from bank consents. The reasons this was happening were:

  • journeys started in private browsing
  • journeys started on non-default browsers

When returning to the browser from the bank, it would go to the default browser, and in some instances would not find the starting session. The checks for this have been loosened so that flows can start and end in different browser sessions.

There is no security risk with these less strict checks as session hijacking is still prevented, the consent flow can only be finished by someone who started the flow and got to their bank consent screen,

If you're completing an AIS connection, you will have to provide the sub parameter when exchanging code for tokens to ensure the user matches with the authorisation code.