Simplify your stack and build anything. Or everything.
Build tomorrow’s web with a modern solution you truly own.
Code-based nature means you can build on top of it to power anything.
It’s time to take back your content infrastructure.

Logout route fails to recognize user or clear cookie

default discord avatar
bcksl7 months ago
4

When using the admin panel, clicking the logout button, the message in the UI is "You have been logged out successfully." However,

/api/users/logout

returns

{"errors":[{"message":"No User"}]}

, and fails to clear cookie

payload-token

. When clicking "Log back in", the UI shows "Already logged in", and I can return to the dashboard. The "log out" link on this page in the text "To log in with another user, you should log out first." similarly has no effect.



It appears the

set-cookie

header is not being sent properly by

api/users/logout

, but I observe this only in the browser. Based on the error body, it seems it's doing this because it doesn't recognize a user is logged in, but I can confirm that the

cookie

header with the relevant token

is

being sent by the browser in the request. Oddly, if I try the same with

curl

or Postman, the logged-in user seems to be recognized and the

set-cookie

header is sent correctly.



Indeed I was, copied the cookie straight from the network inspector in the browser. Request in browser looked correct as well, but got back "No user".



Don't have it on hand at the moment, but also haven't been experiencing the issue today. You guys have been bumping versions pretty frequently the last weeks, and I've been upgrading regularly since we're still in dev. Anything that might have changed in that section of the code that might explain it?

  • discord user avatar
    jacobsfletch
    2 years ago
    @1033006865661050921

    The logout operation requires a

    user

    to logout. Are you sending an authenticated user through a

    POST

    request to

    /api/users/logout

    ?



    Can you send the request to me?



    Nothing that would effect authentication in this way

  • default discord avatar
    taongab2 years ago

    hey, what was the solution to this?



    I am experiencing a similar issue, that's also stopping me from using access control. thanks.

  • default discord avatar
    lioloc8 months ago

    If someone else encounters this issue, temporarily set your response headers to expire the payload-token immediately, e.g. in your middleware.ts:


        const response = NextResponse.next()
        response.headers.set('Set-Cookie', 'payload-token=; Max-Age=0')
        return response

    Worked for me



    Not exactly the solution you're looking for, but I know how to fix your issue, i'll respond in your post

  • default discord avatar
    hristo60048 months ago

    Hi

    @780916551502659594

    , I'm having this issue

    #1277517339084197888

    where after I log out on my frontend, if I have multiple tabs, the cookie doesn't clear in others (until I hit F5), which still lets me have access. I need a way to make the cookie invalid after logging out so even if the payload-token is still there, it wouldn't allow the user to do any other actions, forcing them to re-login.



    Do you think this will help? I'm a bit lost on authentication and how it works. Thanks!

Star on GitHub

Star

Chat on Discord

Discord

online

Can't find what you're looking for?

Get dedicated engineering support directly from the Payload team.