**I am working through 100 days of code, but this question doesn’t relate directly to it (though it is one of the projects on there). Let me know if I should post it there instead.
We just made a small “blog” and used sessions to log in, and used session.clear() to log out. In the next day we change it so we use ReplAuth to log in. Logging in works fine, but I can’t figure out how to log out again.
I have tried all sorts of things like set_cookie("REPL_AUTH", max_age = 0), but they aren’t affecting the cookie at all.
@app.route('/logout')
def logout():
session.clear()
# random print to see the function is being called
print("logging out")
res = make_response("logged out")
res.set_cookie('REPL_AUTH', value= "blah", max_age= 0, expires=0)
res.delete_cookie('REPL_AUTH')
return redirect("/")
Well part of that very bottom code snippet looks like flask and the other Express.js, so it wouldn’t work but you could look at flask docs for deleting cookies
I think you have a good idea of how you would do it. You clear REPL_AUTH
well, it seems that the repl proxy/firewall/router/NAT is filtering out the REPL_AUTH cookie, because the cookie field is empty for me despite being logged in.
This took me hours of wasting time to figure out how to logout but finally figured it out. The solution is relatively simple. Posting it for others. Basically, the cookie is stored under your hostname therefore when deleting the cookie “REPL_AUTH” also need to pass in your domain.
@app.route('/logout')
def logout():
session.clear()
# Get hostname for setting the correct domain in the cookie
hostname = request.host
response = make_response(redirect(url_for('index')))
# Clearing REPL_AUTH cookie for the specified domain
response.delete_cookie('REPL_AUTH', domain='.' + hostname)
return response
No it does not work without domain='.' + request.host. In fact, when I was trying to make this yesterday it didn’t work with it too. I think what’s different is that I wasn’t using session.clear().
session.clear() wouldn’t clear the REPL_AUTH cookie at all. It solely removes the data stored within the session object for that user. It doesn’t delete cookies from the browser. That’s why using session.clear() won’t work for deleting cookies.
It’s because the cookie was set without specifying a domain, making it a host-only cookie. This explains why my suggested approach wouldn’t work; the deletion would only be successful if the domain parameter matches exactly or is omitted.