Auth0-nextjs - Logout failure due to race condition with Set-Cookie

I’m encountering an issue with the auth0-nextjs SDK that causes logout to fail in a particular scenario. Note that I’ve browsed for solutions and nothing seems to resolve this issue so far. The SDK uses “appSession” cookies, and this cookie is refreshed by response headers from the authenticated API calls initiated from the app.

I found that if there are no pending requests / all requests were resolved before logging out, then logout is successful 10/10 times. But if an API call resolves after logging out (by redirecting to /api/auth/logout), then logout will always fail in the sense that the user still has an active session. There is a successful logout event in Auth0, but the session is valid and the user is still authenticated. I’m inclined to believe that since the network response (resolves after logout successfully resolves) has a “Set-Cookie” header, it will “refresh” the session.

Overall, there is definitely a correlation between logout failing to invalidate the session and pending network requests (those that have “Set-Cookie” for the session). Recommended solutions, such as calling the Auth0 logout endpoint directly, do not work. Would appreciate any thoughts!

Hey there!

Can I ask you to raise it as a GitHub issue there? It would be the best way to handle that most effectively as we will be able to work directly with the SDK maintainers. Once you have a link to it you can share it here and we will ping them.

1 Like