How to logout a user when cookie is removed?

[Slamadalius]

Hello,

Not sure how it should work ( not a lot of information in docs about cookie auth ).

I have minimal configuration at the moment ( tried different variations ).

 auth: {
    strategies: {
      cookie: {
        endpoints: {
          login: { url: "/api/auth/login", method: "post" },
          logout: false, // will be implemented
          user: false,   // will be implemented
        },
      },
    },
  },

Server sets http-only session cookie. After browser close I can see that it is removed in Application->cookies.

But user is still logedIn after browser close. For a second I thought to use something like nuxt-universal-cookie to check if cookie exists. But this is http-only cookie so I can't access it.

How should I logout a user?

[devzom]

I quess You use "Set-Cookie" by backend response? And just one cookie You have?

For. Logout you should use the

Logout method
Which will delete all data on $auth.

You don't have to use nuxt-universal-cookie as $auth have built in method for all storages.
Cookie storage methods

---

Going further you can check it on nuxtServerInit.

But I think I should work out of the box with logout(). 🙄

[Slamadalius]

I know about logout func. And it works fine when user clicks on logout button I set up.

But what is the flow when cookie is removed, in this case after browser close?
Or what is the flow with http-only cookie in general? Because I don't get it with expiration times as well.

I can't check if http-only cookie exists. And I don't want to logout a user on each page reload.

Or should I just ditch http-only flag and make sure I don't have xss vulnerabilities?

[bmulholland]

I don't understand the issue. The browser is closed, so there's no app for the user to be logged out of? Where are you even checking loggedIn?