Skip to content

fix: delete v3 appSession cookie on logout#2552

Open
gmurphey wants to merge 1 commit intoauth0:mainfrom
gmurphey:claude/strange-murdock
Open

fix: delete v3 appSession cookie on logout#2552
gmurphey wants to merge 1 commit intoauth0:mainfrom
gmurphey:claude/strange-murdock

Conversation

@gmurphey
Copy link
Copy Markdown

@gmurphey gmurphey commented Mar 12, 2026

Summary

  • When upgrading from v3 to v4, the legacy appSession cookie was only cleaned up during login (set()), not during logout (delete()). This caused users with a lingering v3 cookie to bypass authentication on their next login attempt.
  • Adds appSession cookie deletion to StatelessSessionStore.delete() and StatefulSessionStore.delete(), mirroring the existing cleanup logic in their set() methods.

Test plan

  • Added test: stateless delete() removes legacy chunked appSession cookie when present
  • Added test: stateful delete() removes legacy appSession cookie when present
  • Added test: stateful delete() skips redundant deletion when session cookie name is already appSession
  • All 891 existing tests continue to pass

🤖 Generated with Claude Code

@gmurphey @claude
fix: delete v3 appSession cookie on logout
b4e2626 
When upgrading from v3 to v4, the legacy appSession cookie was only
cleaned up during login (set), not during logout (delete). This caused
users with a lingering v3 cookie to bypass authentication on their
next login attempt.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gmurphey gmurphey requested a review from a team as a code owner March 12, 2026 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gmurphey