Convex auth `signOut` does not delete auth cookies like authJWT and refresh tokens in production
When a user signs out in production with the convex auth
signOut
function, the auth related cookies are not getting removed from cookie storage, whereas during development mode(on localhost), the cookies gets removed. Because of that after signing out in production if i refresh the page, the users remains as authenticated which is not what one would expect. Even it passes from middleware to protected routes which i believe is because the cookies are still there. Is this expected or do i need to do some extra steps while logging out?9 Replies
Same problem here
Sounds like a bug. Is this happening when your Next.js app is deployed to Vercel?
^ I have the same problem and yes it happens on prod app deployed to vercel
here is a test url: https://testest-mocha.vercel.app/
Create Next App
Generated by create next app
I think its about 4.2 here: https://datatracker.ietf.org/doc/html/draft-west-cookie-prefixes-05
IETF Datatracker
Cookie Prefixes
This document updates RFC6265 by adding a set of restrictions upon the names which may be used for cookies with specific properties. These restrictions enable user agents to smuggle cookie state to the server within the confines of the existing "Cookie" request header syntax, and limits the ways in which cookies may be abused in a conforming use...
yeah, I found the bug, trying to fix it but running into some trouble with Next.js
@Oren fixed in
@convex-dev/auth@0.0.52
also @Dorji Tsheringworks great thank you Michal!
Superb!! @Michal Srb
just ran into this aswell, thanks for the fix @Michal Srb @Oren 🙏