How to log user out after cookie expiration in Go?

Outbound5070 · November 19, 2024, 11:09pm

I’ve followed the Go SDK quickstart here: Auth0 Go SDK Quickstarts: Add Login to your Go web application

And I have an app with working auth.

The problem is the quickstart assumes there will be unauthenticated routes to redirect to.

And it doesn’t show how to log the user out after the auth session cookie expires.

I need to force the user to go back through the login process in the isAuthenticated.go file in this function:

func IsAuthenticated(ctx *gin.Context) {
	if sessions.Default(ctx).Get("profile") == nil {
		ctx.Redirect(http.StatusSeeOther, "/")
	} else {
		ctx.Next()
	}
}

So instead of ctx.Redirect(http.StatusSeeOther, "/") I need them to log back in. I currently have this function redirecting them to ‘/login’.

This works in a new browser session with no auth session cookie.

But it breaks if they’ve already logged in and then the auth session cookie expires.

In that case redirecting them to /login doesn’t force the login page. It just sends them back to the app as if they had already successfully logged in.

So it’s essentially a permanent session.

So far nothing I have tried has worked.

Redirecting them to ‘/login’ and redirecting them to ‘/logout’ don’t work.

Is this documented somewhere?

What am I missing?

sumansaurav · January 16, 2025, 5:19am

You’ll need to modify your authentication middleware to properly clear both your application session and the Auth0 session. Here’s how you can handle this:

First, create a logout handler if you haven’t already:

func LogoutHandler(ctx *gin.Context) {
    domain := os.Getenv("AUTH0_DOMAIN")
    clientID := os.Getenv("AUTH0_CLIENT_ID")
    returnTo := os.Getenv("AUTH0_CALLBACK_URL") // or whatever URL you want to return to

    // Clear the local session
    session := sessions.Default(ctx)
    session.Clear()
    session.Save()

    // Redirect to Auth0 logout endpoint
    logoutUrl := fmt.Sprintf(
        "https://%s/v2/logout?client_id=%s&returnTo=%s",
        domain,
        clientID,
        returnTo,
    )
    ctx.Redirect(http.StatusTemporaryRedirect, logoutUrl)
}

Then modify your IsAuthenticated middleware:

func IsAuthenticated(ctx *gin.Context) {
    session := sessions.Default(ctx)
    if session.Get("profile") == nil {
        // Clear any existing session data
        session.Clear()
        session.Save()
        
        // Redirect to logout handler instead of directly to login
        ctx.Redirect(http.StatusSeeOther, "/logout")
        ctx.Abort() // Important: stop the middleware chain
        return
    }
    ctx.Next()
}

Make sure your routes are set up correctly:

router.GET("/logout", LogoutHandler)
router.GET("/callback", CallbackHandler)
// ... other routes

The key points here are:

When the session is invalid, we redirect to the logout handler instead of directly to login
The logout handler clears both your application session and the Auth0 session
The ctx.Abort() call is important to stop the middleware chain

Code block may not be perfect but Hope this helps.

system · January 30, 2025, 5:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to force login page in Go? Help login-experience , new-universal-login-experience	1	19	November 20, 2024
Logging out of the Golang starter Help	5	1864	October 26, 2022
Log the user out of auth0 session after getting 401 response in nextjs sdk Help nextjs	4	4867	June 8, 2022
How to redirect user to login when token is expire Help login-experience , login-prompt-new-experience	2	3373	November 3, 2023
Nextjs-Auth0, Old Session not expired after Logout Help sessions , authentication-sessions	4	481	July 3, 2024

How to log user out after cookie expiration in Go?

Related topics