8

I am using OIDC for authentication and login with ALB. On successfully login I can see AWSELBAuthSessionCookie-0 in my browser. For logout I am setting above cookie value to -1 and redirecting user to application home. I am expecting it should redirect me to OIDC login page again but I an not getting login page again ALB cookie get created automatically and I can see home page without re login.

here is code in golang --

  deletingCookie := http.Cookie{Name: "AWSELBAuthSessionCookie-0", Path: "/", MaxAge: -1}
  http.SetCookie(w, &deletingCookie)
  http.Redirect(w, req, "https://www.test.com/", http.StatusFound)
Gan
  • 624
  • 1
  • 10
  • 31

1 Answers1

0

The cookie option maxage if specified is a positive integer denoting the maximum age in seconds, and the expires option is a datetime object or UNIX timestamp.

And usually the cookie will be available at the root path / itself as given, and could be set to an empty value on trying to delete (expire).

So combining all the above, please try with:

deletingCookie := http.Cookie{Name: "AWSELBAuthSessionCookie-0", Value:"", Path: "/", MaxAge: 0}
http.SetCookie(w, &deletingCookie)
ejhari
  • 11
  • 2
  • -1 should have the same effect as 0 here, from the source: "MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'" – jeffff Apr 29 '21 at 00:27