Bug: Iron Session Cookie not destroyed on second logout attempt #5
Labels
bug
Something isn't working
good first issue
Good for newcomers
help wanted
Extra attention is needed
The SIWE flow uses
iron-session
to create a session using an encrypted cookie.Normally we want to create this with
httpOnly
set too true.Right now we are manually overriding default setting:
https://github.com/turbo-eth/template-web3-app/blob/main/lib/config.ts#L27
Why?
A bug is present causing the cookie not be removed upon the second logout request. I don't know why.
Instead the cookie is accessed from the browser/client and is destroyed manually, if the API
/account/logout
request fails. This is NOT SECURE and the bug needs to be fixed before a production application can use the boilerplate.The text was updated successfully, but these errors were encountered: