Logout - third party cookies


#1

Hey guys,
so I’m having this issue with logout in okta-react. It seems like Okta is unable to delete session if browser is blocking third-party cookies. Delete request to ‘{URL}/api/v1/sessions/me’ responds with 404 (Resource not found: me (Session)). I’m using logout method from withAuth HOC. What can I do to resolve this problem?


#3

When I’ve seen a 404 in the past, it’s usually because I’m already logged out.


#4

That’s definitely not this case. I’m 100% sure this has something to do with browser blocking third-party cookies. It seems like Okta needs to somehow interact with cookies to perform deletion of ‘{URL}/api/v1/sessions/me’. There are 2 cookies in my storage, “okta-oauth-nonce” and “okta-oauth-state”. Maybe Okta needs to read their values and TP cookies blocking makes this impossible? (not sure if TPCB prevents even reading or deletion of cookie)


#5

I haven’t seen this behavior myself. I mostly use Chrome. Are you using a certain browser? If you configure that browser to accept 3rd party cookies, does it work?


#6

I use Chrome as well. If I enable cookies it works. For example Safari blocks 3rd party cookies by default…


#7

@machy92 yea same here. In my case, it was an issue with getting the session. After my SPA did a sign in with redirect (i.e. my session is now active), my app would get the token in the hash, but GET /api/v1/sessions/me from my app returned 404. Navigating directly to {mydomain}/api/v1/sessions/me in a new browser tab returned 200. Toggling “Block third-party cookies” to off fixed this for me.