I'm using JWT in a httpOnly cookie and allowing multiple logins on the system.
If I have 2 sessions opened with the same user (different JWT tokens) and if one of them logs out I reset all JWT tokens by changing the user's UUID. I also delete that session's cookie by means of:
This logs out both browser sessions and that's OK, but the browser session in which I DID NOT explicitly log out keeps an invalid cookie in the browser and I can't get rid of it via javascript because its httpOnly (I want it to stay that way). All further requests to the server return as a 401 and I can't seem to change the response to add a "delete_cookie".
Two questions:
Why not always delete the cookie JWT_AUTH_COOKIE from the response if an exception is raised by JWT?
I'm using JWT in a httpOnly cookie and allowing multiple logins on the system. If I have 2 sessions opened with the same user (different JWT tokens) and if one of them logs out I reset all JWT tokens by changing the user's UUID. I also delete that session's cookie by means of:
This logs out both browser sessions and that's OK, but the browser session in which I DID NOT explicitly log out keeps an invalid cookie in the browser and I can't get rid of it via javascript because its httpOnly (I want it to stay that way). All further requests to the server return as a 401 and I can't seem to change the response to add a "delete_cookie".
Two questions:
Why not always delete the cookie JWT_AUTH_COOKIE from the response if an exception is raised by JWT?
How can I work around this issue?
Thanks!