Force Session Expiration Cookie

Hi.
I need to expire a session cookie so my back-end doesn’t take it as valid.
Currently I’m deleting the cookie on the client and it works alright: the client won’t send valid requests. Nevertheless if I copy the Authorization cookie beforehand I can still send valid requests to my server even if the session has ended in my browser client.
I’ve followed the instructions from the documentation for Angular (Sign users out of your app | Okta Developer) but still no luck.
I understand that by design the cookie would still be valid until the expiration time happen, but want to ask here if there’s actually a way to invalidate it in the server side.

Thank you in advance.

The Okta IdP session (a session cookie on the Okta domain) is separate from the OIDC application session (tokens). They function independently and the expiration of one will not affect the lifetime of the other.

If you want to end a user’s session server-side, you will need to know their session id and make a DELETE to /api/v1/sessions/{{sessionId}}

If you can end it client-side, you can either use the /logout endpoint or make a CORS request to DELETE /api/v1/sessions/me

One way you could get this session ID is to store it within the user’s access tokens via the token inline hook. See this post for how to do that: Validate access token is linked to Okta session - #2 by andrea.

1 Like