FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    fusion auth not changing the value of cookies named with account.at, account.rt after logout

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    3
    3
    823
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jvadaliya
      last edited by

      Version : 1.45.1
      We are forcing user to enable two factor quick after login if they have not enabled two-factor yet. For first user it working but it throws error for email for second user in Theme -> Account two-factor enable page (Freemarker error : The following has evaluated to value null or missing => email).
      After few investigation, we observe that fusion auth keeping cookies named with account.at, account.rt of the first user and not changing cookie value after login of second user. 
      So here  mismatch for first user's cookie and second user data.
      If we remove these two cookie manually then it working as expected.
      Can you suggest how can we clear cookie account.at, account.rt?

      Performed step

      1. Login with user1 with correct credentials
      2. Redirect to enable-two page
      3. enable two factor
      4. Redirect to logout page
      5. Login with user2 with correct credentials
      6. Redirect to enable-two page and faced Freemarker error : The following has evaluated to value null or missing => email(As there are cooking(account.at, account.rt) present with user1's data

      Note:

      • We using hosted login page to validate user credential.

      • We are using "oauth2/logout" for user logout. Also tried with calling "api/logout" endpoint in logout flow.

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @jvadaliya
        last edited by

        @jvadaliya Hiya,

        I think you need to call the hosted backend logout endpoint to delete the cookies it sets.

        Thanks for using FusionAuth!

        --
        FusionAuth - Auth so modern you can download it.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • M
          marcel.beutner
          last edited by

          We are experiencing the exact same issue.

          We also call /oauth2/logout, and FusionAuth appears to log the user out correctly. However, the cookies account.at and account.rt (created by FusionAuth) remain in the browser after logout.
          This means a valid user token is still present even after logging out.

          When the next user logs in, there is a mismatch between the old cookies and the new user, which causes errors in the hosted login pages.

          In our view, this is a critical bug:
          Tokens created by FusionAuth must be cleared during the OAuth2 logout process. If they persist, the logout is not complete and leads to incorrect behavior.

          Is there an official fix or recommended way to force FusionAuth to remove these cookies on logout?

          Thanks
          Marcel

          1 Reply Last reply Reply Quote 0
          • First post
            Last post