Here is some context on account login behavior – specifically around why users might sometimes get logged out or prompted to re-authenticate – and the systems at play behind the scenes at Rivo.
Authentication methods
We currently support methods of authenticating users across your site:
Google Auth – Session duration and persistence are managed by Google and can vary based on individual user settings and device configurations.
Shopify Multipass (classic customer accounts) – This is Shopify’s official SSO system, which allows us to securely sign a user into your storefront.
Shopify New Customer Accounts – Rivo is compatible with Shopify's new customer account system using Sign in with Shop
Shop Pay – This is Shopify’s express checkout solution. It keeps users signed in for months or longer, but again, this depends on cookies and browser fingerprinting. It’s designed for a seamless one-click checkout, but even this can be disrupted by changes to device, IP address, or if the user clears cookies.
Apple Login – Subject to Apples device settings.
Why users may get logged out
There are several reasons a user may be logged out across any of these systems, including:
Clearing cookies or using incognito mode
Switching browsers or devices
Shop Pay session expiring after long inactivity (usually a few weeks)
Security triggers (location/IP change)
Manual logout by the user
Shopify enforcing session resets after security updates
Security-first login behavior
We also have additional measures in place to ensure the integrity of login and account creation:
IP Address Check – We only allow persistent login if the IP has been recorded before. This prevents login tokens from being reused across unfamiliar networks.
Device History Check – If a device has been used to log into multiple accounts, we won’t auto-login or auto-create a new account. This avoids accidental logins on shared devices or public computers.
These security checks are intentional. While they can make testing trickier (since you may see different behaviors depending on the device, network, or test account used), they exist to prevent unauthorized access or unwanted account creation.
How long does Rivo keep customers signed in for?
Rivo keeps customers signed in for as long as Shopify’s authentication system allows, and we intentionally rely on Shopify’s own session controls for security. Shopify maintains active storefront logins for up to several weeks, and for brands using New Customer Accounts / Login with Shop, sessions can extend to month(s).
Because login persistence is tied directly to Shopify’s session cookie, customers benefit from the same protections Shopify uses across every Plus store, secure expiry, browser-level safeguards, and automatic token rotation. Things like how often a customer revisits the site or whether they switch devices can naturally extend or shorten that window.
The important part: Rivo never overrides Shopify’s security posture. We keep customers signed in for the maximum duration Shopify supports, while respecting their security model end-to-end. It’s frictionless for shoppers and fully aligned with Shopify’s best-practice standards.
Summary
Shopify's session cookie is the single source of truth.
If it’s gone, we fall back on localStorage and re-authenticate.
We're using a layered approach (Shopify session, localStorage, and security checks) to keep users logged in as persistently as possible, but always within Shopify’s guidelines and best practices.
Reach out anytime us know if you’d like a breakdown on any specific login flows, edge cases, or testing setups. We’re happy to walk you through it.