DELETE to/oauth2/auth/sessions/login/{user}
Guide says that it will remove all session cookies from all devices.
Is there a way to remove only the current user’s cookie ?
Using it for a first party client and thinking about how to implement logout.
One way would be to always set remember
to false
and rely on the existence of access/refresh tokens to authenticate the user and once these are deleted authentication will fail and user will redirect back to hydra/idp and be shown the login screen.
Problem with this approach is that if the user clicks on a sign in link somewhere, they will be presented with the login screen even though they are logged in.
On the other hand, if I will use the remember
flag, there’s no way to log out the user on that specific device.
Another way around, if Hydra and idp are on the same domain, idp can create a /logout
endpoint that will delete the Hydra session cookie, but that’s not very clean and might break if cookie name changes etc.