Search code examples
cookiesauth0

Auth0 - session cookie delete on logout

We have to give our users the option to sign out of our application. This would require them to log back in for further use. However, it appears the auth0 session cookie is not deleted for some reason when implementing the https://YOUR_AUTH0_DOMAIN/v2/logout?returnTo=http%3A%2F%2Fwww.example.com.

Even though the redirect works, the user is automatically logged back in after calling webAuth.authorize(); while you would expect to be asked to re-enter your credentials. Calling this function for the first time, the user is required to enter username and password. However, they are never required again until the token expires. Unfortunately, even the examples provided (via download section) do not address this. Wondering if this is even possible but it seems like the Auth0 website itself handles it correctly.

Here is the code example:

var logoutBtn = document.getElementById('vwLogoutBtn');

    logoutBtn.addEventListener('click', logout);

    function setSession(authResult) {
        // Set the time that the access token will expire at
        var expiresAt = JSON.stringify(
            authResult.expiresIn * 1000 + new Date().getTime()
        );
        localStorage.setItem('access_token', authResult.accessToken);
        localStorage.setItem('id_token', authResult.idToken);
        localStorage.setItem('expires_at', expiresAt);
    }

    function logout() {
        // Remove tokens and expiry time from localStorage

        localStorage.removeItem('access_token');
        localStorage.removeItem('id_token');
        localStorage.removeItem('expires_at');

        webAuth.logout({
            returnTo: 'http://staging.myproject.com/prototype/home.html',
            client_id: AUTH0_CLIENT_ID
        });

        displayButtons();
    }
  function displayButtons() {
        if (isAuthenticated()) {

            getProfile();
        } else {
           //You are not logged in
            webAuth.authorize();
        }
    }

    handleAuthentication();
});

We have also tried using: https://YOUR_AUTH0_DOMAIN/v2/logout?returnTo=http%3A%2F%2Fwww.example.com

However, every time the user logs out and it hits the login page, the user is automatically logged back in.

Any help/guidance is greatly appreciated. Thank you,

Solution

  • After a lot of tests I am actually able to answer my own question LOL

    Problem was that the logout (session cookie delete) in combination with the re-login happened too fast. Putting a delay on calling webAuth.authorize() showed that the user is successfully logged out. You certainly don't want to put a delay on this function. In my case I am now forwarding to a "Logged out" page that also offers the option to log back in.