Nextjs-Auth0, Old Session not expired after Logout

It was observed that even after user is logged out in the browser, it is still possible to perform authenticated actions using previously captured requests as the cookie is not invalidated on the server.

Please if someone can help?

Hey @mhd-rawashdah!

How are you currently logging out users? The more detail you can provide and even steps to reproduce the better!

Hey @tyf

Thank you for your prompt response

I am using the standard configuration of the auth0-nextjs SDK following the documentation. I have an endpoint for logout configured using auth0.handleAuth()

export default auth0.handleAuth({
 logout: async (req: NextApiRequest, res: NextApiResponse) => {
    let locale = req.cookies.NEXT_LOCALE
    locale = locale === Locale.AR ? 'ar' : 'en'

    await auth0.handleLogout(req, res, {
      returnTo: `${auth0BaseUrl}/${locale}/partner/pre-register?origin=dsa`
    })
  }
})

Here are the Auth0 SDK configurations:

export default initAuth0({
  secret: auth0Secret,
  issuerBaseURL: auth0IssuerBaseUrl,
  baseURL: auth0BaseUrl,
  clientID: auth0ClientId,
  clientSecret: auth0ClientSecret,
  authorizationParams: {
    scope: 'openid profile email offline_access'
  },
  session: {
    rolling: true,
    rollingDuration: 30 * 60, // 30 minutes
    cookie: {
      transient: true
    }
  }
})

For logout, there is a CTA on the client side using an HTML link element:
<a herf="api/logout"> Sign Out</a>

Steps to reproduce:

  1. User logs in normally using their credentials.
  2. Capture any protected request from the Network tab, for example, by copying the cURL request.
  3. User clicks logout, it works fine, and the session is deleted from the browser.
  4. Now try to use the captured request and execute it; the session will keep working and have access.
  5. When debugging on the server side, auth0.getSession() returns the session.

So, an attacker or previous user with an old session cookie can continue to perform unauthorized actions even after the actual user terminates the current session.

The expected result is that once a user logs out, the session cookie of that user must be forcefully invalidated on the server.

Hey @tyf

Please do you have any update on this?