[{"data":1,"prerenderedAt":466},["ShallowReactive",2],{"blog-prompts/secure-logout":3},{"id":4,"title":5,"body":6,"category":445,"date":446,"dateModified":447,"description":448,"draft":449,"extension":450,"faq":451,"featured":449,"headerVariant":452,"image":451,"keywords":451,"meta":453,"navigation":454,"ogDescription":455,"ogTitle":451,"path":456,"readTime":451,"schemaOrg":457,"schemaType":458,"seo":459,"sitemap":460,"stem":461,"tags":462,"twitterCard":464,"__hash__":465},"blog/blog/prompts/secure-logout.md","Secure Logout Implementation with AI Prompts",{"type":7,"value":8,"toc":435},"minimark",[9,16,21,24,103,107,110,186,201,205,208,281,285,288,356,365,381,385,388,409,423],[10,11,12],"tldr",{},[13,14,15],"p",{},"Logout isn't just deleting a cookie. You need to invalidate the session server-side, clear all auth tokens, handle \"logout everywhere\" scenarios, and prevent session reuse. These prompts help you implement logout that actually logs users out.",[17,18,20],"h2",{"id":19},"basic-secure-logout","Basic Secure Logout",[13,22,23],{},"Use this prompt to generate a complete secure logout endpoint. Your AI will produce server-side session invalidation, proper cookie clearing with matching attributes, refresh token revocation, and a safe redirect flow.",[25,26,28,31,38,41,60,63,75,78,89,92],"prompt-box",{"title":27},"Implement Secure Logout",[13,29,30],{},"Implement a secure logout endpoint.",[13,32,33,34],{},"Framework: ",[35,36,37],"span",{},"Next.js/Express/Django",[13,39,40],{},"Logout must:",[42,43,44,48,51,54,57],"ol",{},[45,46,47],"li",{},"Invalidate session in database/store (not just cookie)",[45,49,50],{},"Clear session cookie with proper attributes",[45,52,53],{},"Clear any refresh tokens",[45,55,56],{},"Clear remember-me tokens",[45,58,59],{},"Redirect to safe page",[13,61,62],{},"Server-side:",[64,65,66,69,72],"ul",{},[45,67,68],{},"Delete session from session store",[45,70,71],{},"Mark refresh tokens as revoked",[45,73,74],{},"Log the logout event",[13,76,77],{},"Cookie clearing:",[64,79,80,83,86],{},[45,81,82],{},"Set cookie with same name, path, domain",[45,84,85],{},"Set Max-Age=0 or expires in past",[45,87,88],{},"Include Secure, HttpOnly flags",[13,90,91],{},"Response:",[64,93,94,97,100],{},[45,95,96],{},"POST request (not GET to prevent CSRF via image tags)",[45,98,99],{},"Redirect to /login or home page",[45,101,102],{},"Don't expose any error details",[17,104,106],{"id":105},"logout-all-devices","Logout All Devices",[13,108,109],{},"Copy this prompt to implement \"logout from all devices\" functionality. Your AI will generate database queries to revoke all sessions and refresh tokens for a user, plus an active sessions list with selective revocation.",[25,111,113,116,119,136,139,150,153,158,161,172,175],{"title":112},"Logout Everywhere",[13,114,115],{},"Implement \"logout from all devices\" functionality.",[13,117,118],{},"When user clicks \"Logout Everywhere\":",[42,120,121,124,127,130,133],{},[45,122,123],{},"Find all sessions for this user",[45,125,126],{},"Invalidate/delete all sessions",[45,128,129],{},"Revoke all refresh tokens",[45,131,132],{},"Optionally keep current session",[45,134,135],{},"Notify other sessions they're logged out",[13,137,138],{},"Implementation:",[64,140,141,144,147],{},[45,142,143],{},"sessions table needs user_id column",[45,145,146],{},"DELETE FROM sessions WHERE user_id = ?",[45,148,149],{},"Or UPDATE refresh_tokens SET revoked = true WHERE user_id = ?",[13,151,152],{},"If keeping current session:",[64,154,155],{},[45,156,157],{},"DELETE FROM sessions WHERE user_id = ? AND id != ?",[13,159,160],{},"Show active sessions:",[64,162,163,166,169],{},[45,164,165],{},"List devices/browsers with sessions",[45,167,168],{},"Show last active time",[45,170,171],{},"Allow selective revocation",[13,173,174],{},"Trigger auto-logout everywhere on:",[64,176,177,180,183],{},[45,178,179],{},"Password change",[45,181,182],{},"Email change",[45,184,185],{},"Security concern reported",[187,188,189],"warning-box",{},[13,190,191,195,196,200],{},[192,193,194],"strong",{},"Use POST for logout:"," GET requests can be triggered by images or links. An attacker could log users out by including ",[197,198],"img",{"src":199},"/logout"," on their site. Always require POST.",[17,202,204],{"id":203},"client-side-cleanup","Client-Side Cleanup",[13,206,207],{},"This prompt asks your AI to generate client-side cleanup code that runs after logout. You'll get storage clearing, application state reset, cache invalidation, and proper redirect handling to prevent back-button access.",[25,209,211,214,217,220,231,234,245,248,256,259,270,273],{"title":210},"Clear Client State",[13,212,213],{},"Clean up client-side state on logout.",[13,215,216],{},"After successful logout API call:",[13,218,219],{},"Clear storage:",[64,221,222,225,228],{},[45,223,224],{},"localStorage.removeItem('auth_token')",[45,226,227],{},"sessionStorage.clear() for sensitive data",[45,229,230],{},"Clear any cached user data",[13,232,233],{},"Clear application state:",[64,235,236,239,242],{},[45,237,238],{},"Reset auth context/store to null",[45,240,241],{},"Clear React Query/SWR cache for user data",[45,243,244],{},"Reset any user-specific state",[13,246,247],{},"Redirect safely:",[64,249,250,253],{},[45,251,252],{},"window.location.href = '/login'",[45,254,255],{},"Or router.push('/login') with state reset",[13,257,258],{},"Don't do:",[64,260,261,264,267],{},[45,262,263],{},"Leave tokens in memory",[45,265,266],{},"Keep user data in cache",[45,268,269],{},"Allow back button to show protected pages",[13,271,272],{},"Consider:",[64,274,275,278],{},[45,276,277],{},"Show brief \"Logged out\" confirmation",[45,279,280],{},"Clear service worker caches if applicable",[17,282,284],{"id":283},"jwt-logout-considerations","JWT Logout Considerations",[13,286,287],{},"Use this prompt to handle the challenge of logging out with stateless JWTs. Your AI will produce a hybrid approach combining refresh token revocation, optional Redis blacklisting for immediate invalidation, and client-side token cleanup.",[25,289,291,294,297,300,311,314,325,328,339,342],{"title":290},"Logout with JWTs",[13,292,293],{},"Handle logout properly when using JWTs.",[13,295,296],{},"Challenge: JWTs are stateless, can't truly \"invalidate\"",[13,298,299],{},"Solutions:",[42,301,302,305,308],{},[45,303,304],{},"Short access token expiry (15 min) + revocable refresh tokens",[45,306,307],{},"Token blacklist in Redis",[45,309,310],{},"Token version in user record",[13,312,313],{},"Recommended approach (refresh tokens):",[64,315,316,319,322],{},[45,317,318],{},"On logout, delete refresh token from database",[45,320,321],{},"Access token continues working until expiry (15 min max)",[45,323,324],{},"Client deletes access token from memory",[13,326,327],{},"If immediate invalidation needed:",[64,329,330,333,336],{},[45,331,332],{},"Add jti (token ID) to blacklist in Redis",[45,334,335],{},"Set TTL matching token expiration",[45,337,338],{},"Check blacklist on protected routes",[13,340,341],{},"On logout:",[42,343,344,347,350,353],{},[45,345,346],{},"Revoke refresh token in database",[45,348,349],{},"Add access token jti to blacklist",[45,351,352],{},"Clear tokens from client",[45,354,355],{},"Redirect to login",[357,358,359],"tip-box",{},[13,360,361,364],{},[192,362,363],{},"Pro tip:"," Test logout by logging in on two devices, logging out on one, and verifying the session is truly terminated. Can you still access protected pages on the logged-out device by using the back button?",[366,367,368,375],"faq-section",{},[369,370,372],"faq-item",{"question":371},"Why not just clear the cookie?",[13,373,374],{},"If you only clear the cookie without invalidating the session server-side, someone who copied the session ID could continue using it. Always invalidate server-side first.",[369,376,378],{"question":377},"Should logout require authentication?",[13,379,380],{},"No. If the user's session is already invalid, they should still be able to \"logout\" (clear cookies and redirect). Handle both authenticated and unauthenticated logout gracefully.",[17,382,384],{"id":383},"further-reading","Further Reading",[13,386,387],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[64,389,390,397,403],{},[45,391,392],{},[393,394,396],"a",{"href":395},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[45,398,399],{},[393,400,402],{"href":401},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[45,404,405],{},[393,406,408],{"href":407},"/blog/best-practices/secrets","Secret management best practices",[410,411,412,418],"related-articles",{},[413,414],"related-card",{"description":415,"href":416,"title":417},"Secure session management","/blog/prompts/add-session-security","Add Session Security",[413,419],{"description":420,"href":421,"title":422},"Token-based auth","/blog/prompts/secure-jwt-implementation","Secure JWT Implementation",[424,425,428,432],"cta-box",{"href":426,"label":427},"/","Start Free Scan",[17,429,431],{"id":430},"check-your-logout-security","Check Your Logout Security",[13,433,434],{},"Verify your logout actually terminates sessions.",{"title":436,"searchDepth":437,"depth":437,"links":438},"",2,[439,440,441,442,443,444],{"id":19,"depth":437,"text":20},{"id":105,"depth":437,"text":106},{"id":203,"depth":437,"text":204},{"id":283,"depth":437,"text":284},{"id":383,"depth":437,"text":384},{"id":430,"depth":437,"text":431},"prompts","2026-02-27","2026-03-06","AI prompts to implement secure logout. Properly invalidate sessions, clear tokens, and protect against session fixation after logout.",false,"md",null,"cyan",{},true,"AI prompts to implement secure logout and session termination.","/blog/prompts/secure-logout","[object Object]","BlogPosting",{"title":5,"description":448},{"loc":456},"blog/prompts/secure-logout",[463],"Authentication","summary_large_image","Yb713ZQtri1oJsjzwshjbFlvY87542EeIdZF84CPps0",1775843937955]