Skip to content

fix: delete v3 appSession cookie on logout#2552

Merged
Piyush-85 merged 2 commits intoauth0:mainfrom
gmurphey:claude/strange-murdock
Apr 28, 2026
Merged

fix: delete v3 appSession cookie on logout#2552
Piyush-85 merged 2 commits intoauth0:mainfrom
gmurphey:claude/strange-murdock

Conversation

@gmurphey
Copy link
Copy Markdown
Contributor

@gmurphey gmurphey commented Mar 12, 2026

Summary

  • When upgrading from v3 to v4, the legacy appSession cookie was only cleaned up during login (set()), not during logout (delete()). This caused users with a lingering v3 cookie to bypass authentication on their next login attempt.
  • Adds appSession cookie deletion to StatelessSessionStore.delete() and StatefulSessionStore.delete(), mirroring the existing cleanup logic in their set() methods.

Test plan

  • Added test: stateless delete() removes legacy chunked appSession cookie when present
  • Added test: stateful delete() removes legacy appSession cookie when present
  • Added test: stateful delete() skips redundant deletion when session cookie name is already appSession
  • All 891 existing tests continue to pass

🤖 Generated with Claude Code

@gmurphey @claude
fix: delete v3 appSession cookie on logout
b4e2626 
When upgrading from v3 to v4, the legacy appSession cookie was only
cleaned up during login (set), not during logout (delete). This caused
users with a lingering v3 cookie to bypass authentication on their
next login attempt.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gmurphey gmurphey requested a review from a team as a code owner March 12, 2026 15:27
@Piyush-85
Copy link
Copy Markdown
Contributor

Piyush-85 commented Apr 28, 2026

@gmurphey Thanks for the contribution. This fix was critical and LGTM.
Approving and merging this.

Note - Will add a section Session Cookie Migration in the V4 Migration Guide.md to reflect this change.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.85%. Comparing base (444e2b3) to head (53315ac).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2552      +/-   ##
==========================================
+ Coverage   89.83%   89.85%   +0.01%     
==========================================
  Files          67       67              
  Lines        8119     8135      +16     
  Branches     1739     1743       +4     
==========================================
+ Hits         7294     7310      +16     
  Misses        813      813              
  Partials       12       12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Piyush-85 Piyush-85 merged commit ef958a3 into auth0:main Apr 28, 2026
7 of 9 checks passed
@Piyush-85 Piyush-85 mentioned this pull request Apr 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Piyush-85 Piyush-85 Piyush-85 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gmurphey @Piyush-85 @codecov-commenter