Auth0.OidcClient.WPF/WinForms - LogoutAsync causes cookie to grow until bad request


Have a desktop application. Multiple users on the same machine/account. The user is logged in to the app, gets a token and then is logged out from auth0 and continues to use the app. Works great… but each logout causes data to be appended to the browser cookie. I capture the traffic using fiddler so I can see the growth of the cookie.

When the cookie have grown to ~5-6KB of size calls to auth0 starts to fail with 400 bad requests. This is probably due to header size limit.

The cookie is persisted so this problem survives computer and application restarts. I have to manually go in and delete the cookie for the auth0-domain or wait it out (not yet investigated expiration etc).

The Auth0Client interface does not give you access to the .net WebBrowser object. That would at least have given some methods and properties to try out.

The only work around I found so far is to prevent cookies from being persisted by calling InternetSetOption in wininet.dll. This feels like a bad hack and it forces tedious logins for customers with MFA enabled.

In short:

From what I can see the method IAuth0Client.LogoutAsync causes cookie to grow for each logout until it causes a bad request.

Does anyone know a way around this problem?


Done some more digging. Each logout adds one of these lines to the cookie;

com.auth0.auth.<~150 chars> = {%22nonce%22:%<~30 chars>%22%2C%22state%22:%<~150 chars>%22%2C%22lastUsedConnection%22:%22xxxx-waad%22}

The removed chars are random alpha numeric. Maybe this is something that can be configured in the auth0 tenant.