Auth0 Home Blog Docs

Callback UnauthorizedError not deleting auth0 cookie for a domain



We have this snippet of code in an Auth0 rule to check if the given user is inactive. This functionality is part of our application where user access is disabled for a specific resource.
When an inactive user tries to login in our Java Web App, the rule is invoked and a callback with an UnauthorizedError is returned. In our CallbackController, we see this error and show user an error saying they are not allowed to login at this point.
But now I want to get back to the login screen to login as a different user but we keep getting redirected to the error page. The reason this is happening is as follows:
When a user logs in with their credentials, Auth0 creates a cookie named “auth0” for that domain. But when we throw the UnauthorizedError, it doesn’t delete this cookie causing this behavior of repeated display of the error page.

Here is rule snippet:
if (userInfo.status === ‘INACTIVE’) {
return callback(new UnauthorizedError(‘inactive_user’));

If we manually delete this cookie from the browser, the login page is displayed as expected.
Why is Auth0 not clearing this cookie when UnauthorizedError is thrown?
How do we resolve this?

Many thanks