Logout Not Working as Cookies Persist

auth0.knowledge2 · December 4, 2024, 4:13pm

Overview

When a session is logged out from an Application but before it logs in with an OIDC connection, the session and user are still active on the Application, even if on the Auth0 side, the Logs show that the Logout was Successful.

Applies To

OIDC Logout
Active Sessions
Cookies

Cause

The Application does not delete the cookies when the user logs out, even after setting all of the recommended parameters documented in OIDC Logout.

Solution

A potential workaround is to create a script that will delete all the user cookies after the logout process is completed like the example below:

<?php

session_start();


// Clear the session

session_destroy();


// Terminate the session

session_write_close();


// Delete auth0 cookies

setcookie('auth0__state', '', time() - 3600, '/');

setcookie('auth0__nonce', '', time() - 3600, '/');

setcookie('auth0__t', '', time() - 3600, '/');

setcookie('auth0__user', '', time() - 3600, '/');

setcookie('auth0__redirect_uri', '', time() - 3600, '/');

setcookie('auth0__lastCheck', '', time() - 3600, '/');

setcookie('auth0__lastTokenResponse', '', time() - 3600, '/');

setcookie('auth0__lastUserInfo', '', time() - 3600, '/');

setcookie('auth0__lastAuthResponse', '', time() - 3600, '/');

setcookie('auth0__lastError', '', time() - 3600, '/');

setcookie('auth0__lastErrorCode', '', time() - 3600, '/');

setcookie('auth0__lastAuth0Error', '', time() - 3600, '/');

setcookie('auth0__lastAuth0ErrorCode', '', time() - 3600, '/');

setcookie('auth0__lastAction', '', time() - 3600, '/');

setcookie('auth0__lastAuth0Code', '', time() - 3600, '/');

setcookie('auth0__lastAuth0State', '', time() - 3600, '/');

setcookie('auth0__lastAuth0Nonce', '', time() - 3600, '/');

setcookie('auth0__lastAuth0PKCE', '', time() - 3600, '/');

setcookie('auth0__lastAuth0PKCEMethod', '', time() - 3600, '/');

setcookie('auth0__lastAuth0PKCEVerifier', '', time() - 3600, '/');

setcookie('auth0__lastAuth0PKCEChallenge', '', time() - 3600, '/');

setcookie('auth0__lastAuth0PKCEChallengeMethod', '', time() - 3600, '/');


// Delete all cookies for the current session

// ATTENTION: This will delete all cookies for the current session. You can add an if condition for setcookie to exclude some cookies from deletion.

if (isset($_SERVER['HTTP_COOKIE'])) {

 $cookies = explode(';', $_SERVER['HTTP_COOKIE']);

 foreach ($cookies as $cookie) {

 $parts = explode('=', $cookie);

 $name = trim($parts[0]);

 setcookie($name, '', time() - 3600, '/');

 setcookie($name, '', time() - 3600, '/', $_SERVER['HTTP_HOST'], true, true);

 }

}


// Redirect to the Auth0 Federated logout endpoint with client_id

// INSERT YOUR DOMAIN AND CLIENT ID HERE WITHOUT THE BRACKETS

header('Location: https://{DOMAIN}/oidc/logout?federated&client_id={CLIENT_ID}');


exit;

Topic		Replies	Views
Trying to implement logout with apache openidc mod Help apache	1	4814	March 9, 2020
Auth0-nextjs - Logout failure due to race condition with Set-Cookie Help logout , sessions	2	1874	November 24, 2022
Delete cookie on logout - webAuth.authorize(); Help logout	21	25113	January 6, 2019
Logout API - Not able to get Logout from Auth0 Session Help user-profile , user-management	2	572	October 17, 2023
Delete Cookies on Logout Help logout , cookies , cookie	4	13030	August 6, 2020

Logout Not Working as Cookies Persist

Overview

Applies To

Cause

Solution

Related topics