Our PHP Laravel service initially configured cookies for the domain .example.com, allowing tokens to be valid across all subdomains. Recently, however, without any identifiable modifications to our codebase or .env configuration, the tokens stored in browsers are now set specifically for the example.com domain.
This shift has introduced an issue for previously logged-in users attempting to log out. Due to the disparity between the domain settings of the previous tokens (example.com) and our Single Sign-On (SSO) service attempting to log out on .example.com, users are unable to complete the logout action. Despite thorough examination, we have not identified any intentional changes in our services or configuration.
We are seeking guidance on whether there is a method to compel the application to automatically revoke previously issued tokens. This would necessitate users to log in again, acquiring a new token that aligns with our current setup.
Your insights into potential solutions or any relevant changes that might have caused this discrepancy would be greatly appreciated.
We could not find out any methodology to revoke the previously granted authentication tokens. So, we changed the token key in our cookie, something like new-token. Everything goes well, and if a few users still have the previous token along side with the new one, no conflict will happen. When the previous token is expired, everything in users' cookie will seem normal.