Facebook Pixel

Why clear the cookie with the same options on logout?

If you set the cookie with httpOnly, secure, sameSite, you must clear it with the same options. Otherwise the browser may not match the cookie and it will not be cleared. The user stays logged in.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in How to Securely Store JWT in Cookies

Set httpOnly: true (no script access), secure: true (HTTPS only), sameSite: 'lax' or 'strict' (CSRF protection), and maxAge matching the JWT expiry. Clear with the same options on logout.

Scripts cannot read the cookie. This protects against XSS-driven token theft. Without httpOnly, any script (including injected ones) can read the token and send it to an attacker.

The cookie is only sent over HTTPS. Without secure, the cookie is sent over HTTP too, and a man-in-the-middle can read it. Always use HTTPS in production.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.