ReplAuth - Log out?

BrynParry · August 4, 2023, 2:40am

**I am working through 100 days of code, but this question doesn’t relate directly to it (though it is one of the projects on there). Let me know if I should post it there instead.

We just made a small “blog” and used sessions to log in, and used session.clear() to log out. In the next day we change it so we use ReplAuth to log in. Logging in works fine, but I can’t figure out how to log out again.
I have tried all sorts of things like set_cookie("REPL_AUTH", max_age = 0), but they aren’t affecting the cookie at all.

  repl_auth_cookie = request.cookies.get('REPL_AUTH')
  print (repl_auth_cookie)

returns None

I think it has been asked before but I haven’t found any solutions - anyone got any suggestions?:**

Repl link: https://replit.com/@BrynParry/Day87100Days#main.py

@app.route('/logout')
def logout():
  session.clear()
 # random print to see the function is being called
  print("logging out")
  res = make_response("logged out")
  res.set_cookie('REPL_AUTH', value= "blah", max_age= 0, expires=0)
  res.delete_cookie('REPL_AUTH')
  return redirect("/")

QwertyQwerty88 · August 4, 2023, 2:48am

Does it tell you to have a log out page in the challenge? You might not need to (I don’t know why it’s not working)

BrynParry · August 4, 2023, 2:51am

It doesn’t, and I don’t need to, I just wanted to try to add it in anyway. I guess I should just move on.

QwertyQwerty88 · August 4, 2023, 2:52am

Well instead of making a log out page I usually just redirect to the login page, because you’d usually want to log out just to switch accounts.

boston2029 · August 4, 2023, 3:12am

Well part of that very bottom code snippet looks like flask and the other Express.js, so it wouldn’t work but you could look at flask docs for deleting cookies

I think you have a good idea of how you would do it. You clear REPL_AUTH

BrynParry · August 4, 2023, 3:17am

I think it’s all flask, I used the methods from here:
https://flask.palletsprojects.com/en/2.3.x/api/#flask.Response.set_cookie

set_cookie isn’t changing the cookie at all, and delete_cookie doesn’t seem to do anything.

boston2029 · August 4, 2023, 3:53am

Make sure to set httponly to true. Pretty sure the REPL_AUTH cookie is HTTP only and not in JavaScript.

Example could look like:

res.delete_cookie("REPL_AUTH", None, None, True, True)

BrynParry · August 4, 2023, 4:03am

Ah, that didn’t fix it, but might be heading towards a solution. To set the cookie I used this:

<script src="https://replit.com/public/js/repl-auth-v2.js"></script></a>
    <button onclick="LoginWithReplit()"> Login </button>

Is it possible it was set with JavaScript and can’t be edited with python? I’ve not used JavaScript before so have no idea.

boston2029 · August 4, 2023, 4:06am

Well I think ReplAuth uses HTTP only cookies (which is why you can’t log out by simply calling document.cookie='' in the JavaScript.

So I thought adding the httponly would fix it, but guess not…

python660 · August 4, 2023, 6:25am

well, it seems that the repl proxy/firewall/router/NAT is filtering out the REPL_AUTH cookie, because the cookie field is empty for me despite being logged in.

mathsociety · November 18, 2023, 6:32pm

This took me hours of wasting time to figure out how to logout but finally figured it out. The solution is relatively simple. Posting it for others. Basically, the cookie is stored under your hostname therefore when deleting the cookie “REPL_AUTH” also need to pass in your domain.

@app.route('/logout')
def logout():
    session.clear()

    # Get hostname for setting the correct domain in the cookie
    hostname = request.host

    response = make_response(redirect(url_for('index')))
    
    # Clearing REPL_AUTH cookie for the specified domain
    response.delete_cookie('REPL_AUTH', domain='.' + hostname)

    return response

Here is a quick hello world example https://replit.com/@mathsociety/replit-auth-with-logout?v=1

Sky · November 18, 2023, 7:46pm

Yeah response.delete_cookie('REPL_AUTH') or response.set_cookie('REPL_AUTH', '', expires=0) should work, is it not working?

QwertyQwerty88 · November 18, 2023, 7:48pm

No it does not work without domain='.' + request.host. In fact, when I was trying to make this yesterday it didn’t work with it too. I think what’s different is that I wasn’t using session.clear().

Sky · November 18, 2023, 7:49pm

So the cookie is actually stored with the hostname lol.

Sky · November 18, 2023, 7:52pm

session.clear() wouldn’t clear the REPL_AUTH cookie at all. It solely removes the data stored within the session object for that user. It doesn’t delete cookies from the browser. That’s why using session.clear() won’t work for deleting cookies.

QwertyQwerty88 · November 18, 2023, 7:54pm

So what’s different between my code and math’s…

Nevermind I tried it out just now it works… wth…

Sky · November 18, 2023, 7:59pm

It’s because the cookie was set without specifying a domain, making it a host-only cookie. This explains why my suggested approach wouldn’t work; the deletion would only be successful if the domain parameter matches exactly or is omitted.