Logout invalidate Session / Tokens does not work always

Hi everybody. I have added JWT like @Matti has written here: JWT authentication with Vaadin Flow - for better developer and user experience | Vaadin

i also added the same logout:

private static final String JWT_HEADER_AND_PAYLOAD_COOKIE_NAME = "jwt.headerAndPayload";
    private static final String JWT_SIGNATURE_COOKIE_NAME = "jwt.signature";
    private void clearCookies() {
        clearCookie(JWT_HEADER_AND_PAYLOAD_COOKIE_NAME);
        clearCookie(JWT_SIGNATURE_COOKIE_NAME);
    }

    private void clearCookie(String cookieName) {
        HttpServletRequest request = VaadinServletRequest.getCurrent()
                .getHttpServletRequest();
        HttpServletResponse response = VaadinServletResponse.getCurrent()
                .getHttpServletResponse();

        Cookie k = new Cookie(
                cookieName, null);
        k.setPath(getRequestContextPath(request));
        k.setMaxAge(0);
        k.setSecure(request.isSecure());
        k.setHttpOnly(false);
        response.addCookie(k);
    }

    private String getRequestContextPath(HttpServletRequest request) {
        final String contextPath = request.getContextPath();
        return "".equals(contextPath) ? "/" : contextPath;
    }

  //Logout
        Button logout = new Button("Logout", VaadinIcon.SIGN_OUT.create());
        logout.getStyle().setCursor("pointer");
        logout.addClickListener(event -> {
            securityUtils.logout();
        });

Where as SecurityUtils is a Component annotated class and injected into the MainLayout where logout button is added

Do you also call AuthenticationContext.logout()

I have added it to the logout method but its still the same

public void logout() {
        clearCookiesAndSession();
        authenticationContext.logout();
        UI ui = UI.getCurrent();
        if (ui != null) {
            ui.access(() -> ui.getPage().setLocation("/login"));
        }

        VaadinSession session = VaadinSession.getCurrent();
        if (session != null) {
            WrappedSession wrappedSession = session.getSession();
            if (wrappedSession != null) {
                wrappedSession.invalidate();
            }
            session.close();
        }
    }

already tried to forward to login but this also does not work. Only after i clicked the button several times

Ah, deployed it to production and now it works! Could the local dev enviroment could be the “problem”?

Can you elaborate a bit on “does not work always”?
Does it mean the session is not the session is not invalidated? Or that the cookie is not removed, and you still get access to the application after logout? Or that you are not redirected somewhere?

Also, if authenticationContext is from Vaadin, it delegates the logout process and potential session invalidation to Spring Security, and it should also take care of redirect to login page if needed.

It works on production.

Lokally when running in IntelliJ i hit the button and the page reloads. The coockie stays in the browser and i can access the app.

After 3,4,5, times hitting the button it works, then the cookies are removed and i get forwarded to the login. It looks like the dev mode has some impact on it, could this be?

Which exact Vaadin version are you using?

It looks like the dev mode has some impact on it, could this be?

I remember an issue with redirect being cancelled by Vite websocket forcing a page reload, but could not find the ticket right now.
And I have memories the issue was fixed at some point, but I have to double-check.

I am using 24.6.4. So the most actual one

I was wrong, the ticket is still open [Dev mode] Vite page reload cancels redirection to the logout page when an authenticated session is invalidated · Issue #20819 · vaadin/flow · GitHub

okay thank you then this issue is the same i think :) Thank you!