Here is some context on account login behavior – specifically around why users might sometimes get logged out or prompted to re-authenticate – and the systems at play behind the scenes at Rivo.
Authentication methods
We currently support methods of authenticating users across your site:
Google Auth – Session duration and persistence are managed by Google and can vary based on individual user settings and device configurations.
Shopify Multipass (classic customer accounts) – This is Shopify’s official SSO system, which allows us to securely sign a user into your storefront.
Shopify New Customer Accounts – Rivo is compatible with Shopify's new customer account system using Sign in with Shop
Shop Pay – This is Shopify’s express checkout solution. It keeps users signed in for months or longer, but again, this depends on cookies and browser fingerprinting. It’s designed for a seamless one-click checkout, but even this can be disrupted by changes to device, IP address, or if the user clears cookies.
Apple Login – Subject to Apples device settings.
Why users may get logged out
There are several reasons a user may be logged out across any of these systems, including:
Clearing cookies or using incognito mode
Switching browsers or devices
Shop Pay session expiring after long inactivity (usually a few weeks)
Security triggers (location/IP change)
Manual logout by the user
Shopify enforcing session resets after security updates
Security-first login behavior
We also have additional measures in place to ensure the integrity of login and account creation:
IP Address Check – We only allow persistent login if the IP has been recorded before. This prevents login tokens from being reused across unfamiliar networks.
Device History Check – If a device has been used to log into multiple accounts, we won’t auto-login or auto-create a new account. This avoids accidental logins on shared devices or public computers.
These security checks are intentional. While they can make testing trickier (since you may see different behaviors depending on the device, network, or test account used), they exist to prevent unauthorized access or unwanted account creation.
Summary
Shopify's session cookie is the single source of truth.
If it’s gone, we fall back on localStorage and re-authenticate.
We're using a layered approach (Shopify session, localStorage, and security checks) to keep users logged in as persistently as possible, but always within Shopify’s guidelines and best practices.
Reach out anytime us know if you’d like a breakdown on any specific login flows, edge cases, or testing setups. We’re happy to walk you through it.