Simplify your stack and build anything. Or everything.
Schedule a Demo
USE CASES
Headless CMSEnterprise App BuilderHeadless E-CommerceDigital Asset Management
FEATURES
Multi-TenancyWhite LabelLocalizationAccess ControlAuth
CASE STUDIES

See what others are building with Payload.

Browse Case Studies
Build tomorrow’s web with a modern solution you truly own.
PAYLOAD IS FOR
DevelopersMarketing teamsEnterprise companiesAgencies & Consultancies
COMPARE PAYLOAD
Payload vs WordPressPayload vs ContentfulPayload vs SanityPayload vs StrapiPayload vs Directus
AGENCY TESTIMONIAL

"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."

Become a PartnerFind a Partner
Code-based nature means you can build on top of it to power anything.
Resources
DocumentationExamplesTemplatesGitHubReleasesBlogGuides & Tutorials
Community
RoadmapDiscordCommunity Help
Payload Cloud

Deploy your entire stack in one place with Payload Cloud.

LoginCloud Pricing
It’s time to take back your content infrastructure.
Schedule a Demo
Enterprise Features
SSOAI Auto-EmbeddingPublishing WorkflowsVisual EditorStatic A/B testingAI features
Customer Stories
MicrosoftASICSBlue OriginHello BelloTekton
Featured Customer Story

Microsoft chose Payload to tell the world about AI.

Read the case studyBrowse all
LoginGet Started
Community Help

Logout route fails to recognize user or clear cookie

default discord avatar
bcksl7 months ago
4

When using the admin panel, clicking the logout button, the message in the UI is "You have been logged out successfully." However,

/api/users/logout

returns

{"errors":[{"message":"No User"}]}

, and fails to clear cookie

payload-token

. When clicking "Log back in", the UI shows "Already logged in", and I can return to the dashboard. The "log out" link on this page in the text "To log in with another user, you should log out first." similarly has no effect.



It appears the

set-cookie

header is not being sent properly by

api/users/logout

, but I observe this only in the browser. Based on the error body, it seems it's doing this because it doesn't recognize a user is logged in, but I can confirm that the

cookie

header with the relevant token

is

being sent by the browser in the request. Oddly, if I try the same with

curl

or Postman, the logged-in user seems to be recognized and the

set-cookie

header is sent correctly.



Indeed I was, copied the cookie straight from the network inspector in the browser. Request in browser looked correct as well, but got back "No user".



Don't have it on hand at the moment, but also haven't been experiencing the issue today. You guys have been bumping versions pretty frequently the last weeks, and I've been upgrading regularly since we're still in dev. Anything that might have changed in that section of the code that might explain it?

  • discord user avatar
    jacobsfletch
    2 years ago
    @1033006865661050921

    The logout operation requires a

    user

    to logout. Are you sending an authenticated user through a

    POST

    request to

    /api/users/logout

    ?



    Can you send the request to me?



    Nothing that would effect authentication in this way

  • default discord avatar
    taongab2 years ago

    hey, what was the solution to this?



    I am experiencing a similar issue, that's also stopping me from using access control. thanks.

  • default discord avatar
    lioloc8 months ago

    If someone else encounters this issue, temporarily set your response headers to expire the payload-token immediately, e.g. in your middleware.ts:


        const response = NextResponse.next()
    response.headers.set('Set-Cookie', 'payload-token=; Max-Age=0')
    return response

    Worked for me



    Not exactly the solution you're looking for, but I know how to fix your issue, i'll respond in your post

  • default discord avatar
    hristo60048 months ago

    Hi

    @780916551502659594

    , I'm having this issue

    #1277517339084197888

    where after I log out on my frontend, if I have multiple tabs, the cookie doesn't clear in others (until I hit F5), which still lets me have access. I need a way to make the cookie invalid after logging out so even if the payload-token is still there, it wouldn't allow the user to do any other actions, forcing them to re-login.



    Do you think this will help? I'm a bit lost on authentication and how it works. Thanks!

Open

Continue the discussion in Discord

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.