When using the admin panel, clicking the logout button, the message in the UI is "You have been logged out successfully." However,
/api/users/logout
returns
{"errors":[{"message":"No User"}]}
, and fails to clear cookie
payload-token
. When clicking "Log back in", the UI shows "Already logged in", and I can return to the dashboard. The "log out" link on this page in the text "To log in with another user, you should log out first." similarly has no effect.
It appears the
set-cookie
header is not being sent properly by
api/users/logout
, but I observe this only in the browser. Based on the error body, it seems it's doing this because it doesn't recognize a user is logged in, but I can confirm that the
cookie
header with the relevant token
isbeing sent by the browser in the request. Oddly, if I try the same with
curl
or Postman, the logged-in user seems to be recognized and the
set-cookie
header is sent correctly.
Indeed I was, copied the cookie straight from the network inspector in the browser. Request in browser looked correct as well, but got back "No user".
Don't have it on hand at the moment, but also haven't been experiencing the issue today. You guys have been bumping versions pretty frequently the last weeks, and I've been upgrading regularly since we're still in dev. Anything that might have changed in that section of the code that might explain it?
The logout operation requires a
user
to logout. Are you sending an authenticated user through a
POST
request to
/api/users/logout
?
Can you send the request to me?
Nothing that would effect authentication in this way
hey, what was the solution to this?
I am experiencing a similar issue, that's also stopping me from using access control. thanks.
If someone else encounters this issue, temporarily set your response headers to expire the payload-token immediately, e.g. in your middleware.ts:
const response = NextResponse.next()
response.headers.set('Set-Cookie', 'payload-token=; Max-Age=0')
return response
Worked for me
Not exactly the solution you're looking for, but I know how to fix your issue, i'll respond in your post
Hi
@780916551502659594, I'm having this issue
#1277517339084197888where after I log out on my frontend, if I have multiple tabs, the cookie doesn't clear in others (until I hit F5), which still lets me have access. I need a way to make the cookie invalid after logging out so even if the payload-token is still there, it wouldn't allow the user to do any other actions, forcing them to re-login.
Do you think this will help? I'm a bit lost on authentication and how it works. Thanks!
Star
Discord
online
Get dedicated engineering support directly from the Payload team.