Dorji Tshering
Dorji Tshering5mo ago

Convex auth `signOut` does not delete auth cookies like authJWT and refresh tokens in production

When a user signs out in production with the convex auth signOut function, the auth related cookies are not getting removed from cookie storage, whereas during development mode(on localhost), the cookies gets removed. Because of that after signing out in production if i refresh the page, the users remains as authenticated which is not what one would expect. Even it passes from middleware to protected routes which i believe is because the cookies are still there. Is this expected or do i need to do some extra steps while logging out?
9 Replies
Ferdinand
Ferdinand5mo ago
Same problem here
Michal Srb
Michal Srb5mo ago
Sounds like a bug. Is this happening when your Next.js app is deployed to Vercel?
Oren
Oren5mo ago
^ I have the same problem and yes it happens on prod app deployed to vercel here is a test url: https://testest-mocha.vercel.app/
Create Next App
Generated by create next app
Oren
Oren5mo ago
No description
Oren
Oren5mo ago
IETF Datatracker
Cookie Prefixes
This document updates RFC6265 by adding a set of restrictions upon the names which may be used for cookies with specific properties. These restrictions enable user agents to smuggle cookie state to the server within the confines of the existing "Cookie" request header syntax, and limits the ways in which cookies may be abused in a conforming use...
Michal Srb
Michal Srb5mo ago
yeah, I found the bug, trying to fix it but running into some trouble with Next.js @Oren fixed in @convex-dev/auth@0.0.52 also @Dorji Tshering
Oren
Oren5mo ago
works great thank you Michal!
Dorji Tshering
Dorji TsheringOP5mo ago
Superb!! @Michal Srb
codebrew
codebrew5mo ago
just ran into this aswell, thanks for the fix @Michal Srb @Oren 🙏

Did you find this page helpful?