Getting rid of appSession token when logging out

We have a bit of an issue. We kind of ended up with a bit of a Frankenstein rollout of Auth0, because we may have used another authentication solution (that shall not be named) but had to move to a better documented version (thanks team auth0 ) :slight_smile:

Generally, it works well, but we have an issue with an appSession token stored in a cookie, and we’re trying to figure out a sensible way of getting rid of it.

Basically, when you first log in, auth0 sets two tokens, a appSession and a refresh_token, and it works all nice.

However, when you click the logout button, auth0 removes the refresh_token, but not the appSession:

Part of the problem may be that we are not deploying it purely as an SPA (because of above mentioned other solution) we ended up routing all auth calls via the backend API, instead of direct to auth0 and then sending an access token.

Currently, if you log out and try to log in again, we get a 502 error. We can get it working again by manually resetting or deleting the value on appSession. Our challenge is, appSession is HttpOnly, so we need to figure out a way to delete it from the front end.

Has anyone seen this issue and have a simple solution for it?