How to Logout from ALB OIDC Session?

Question

I am using OIDC for authentication and login with ALB. On successfully login I can see AWSELBAuthSessionCookie-0 in my browser. For logout I am setting above cookie value to -1 and redirecting user to application home. I am expecting it should redirect me to OIDC login page again but I an not getting login page again ALB cookie get created automatically and I can see home page without re login.

here is code in golang --

  deletingCookie := http.Cookie{Name: "AWSELBAuthSessionCookie-0", Path: "/", MaxAge: -1}
  http.SetCookie(w, &deletingCookie)
  http.Redirect(w, req, "https://www.test.com/", http.StatusFound)

did u find any solution for logout? – ashu Jun 16 '23 at 15:43 — ashu, Jun 16 '23 at 15:43

score 0 · Answer 1 · answered Apr 17 '21 at 19:57

The cookie option maxage if specified is a positive integer denoting the maximum age in seconds, and the expires option is a datetime object or UNIX timestamp.

And usually the cookie will be available at the root path / itself as given, and could be set to an empty value on trying to delete (expire).

So combining all the above, please try with:

deletingCookie := http.Cookie{Name: "AWSELBAuthSessionCookie-0", Value:"", Path: "/", MaxAge: 0}
http.SetCookie(w, &deletingCookie)

-1 should have the same effect as 0 here, from the source: "MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'" — jeffff, Apr 29 '21 at 00:27

How to Logout from ALB OIDC Session?

1 Answers1