Why clear the cookie with the same options on logout?
If you set the cookie with httpOnly, secure, sameSite, you must clear it with the same options. Otherwise the browser may not match the cookie and it will not be cleared. The user stays logged in.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Securely Store JWT in Cookies
Set httpOnly: true (no script access), secure: true (HTTPS only), sameSite: 'lax' or 'strict' (CSRF protection), and maxAge matching the JWT expiry. Clear with the same options on logout.
Scripts cannot read the cookie. This protects against XSS-driven token theft. Without httpOnly, any script (including injected ones) can read the token and send it to an attacker.
The cookie is only sent over HTTPS. Without secure, the cookie is sent over HTTP too, and a man-in-the-middle can read it. Always use HTTPS in production.
Still have questions?
Browse all our FAQs or reach out to our support team
