What is the correct way to delete a user? We want to implement the possibility that a user can delete it’s account. Nothing special. But how do we actually do that? Our current approach is that the user, while still logged in, sends a request to our backend, that the account shall be deleted. The backend then does a REST call

DELETE <ORY_URL>/admin/identities/<user_id>

After that the user is delete in ORY alright. But the user still has an ORY session cookie in the browser and this causes error when we try to access endpoints in our app. We get a 401 response all the time. So what it the proper way to remove leftover cookies etc so that the user is properly deleted and logged out?

I would 1. Logout user 2. Show page to user that his/her/.. request to account deletion is sent 3. Send DELETE request to the ory api 4. Send email to user that account was successfully deleted.

That is a possibility, but with an own set of possible problems. The actual deletion is done, after the request to delete the user is returned to the user. You can run into “race” conditions. The user might log back in, before the account is actually deleted. The deletion in Ory may be done before the user is actually logged out. The deletion may fail but you can’t easily report that to the user.

Yes. But all these problem simply don’t occur, when I delete the user immediately within the request. The only problem that I have is: How do I properly “forget” the users session/token in our Web-App.

it depends on your app. Most probably you have some state storage in you frontend

Yes, Ory sets a cookie.

as soon as you invalidate the session request to sessions/whoami will not give you a user.

Are there any other inputs to this problem? Is there no way to delete a user and at the same time remove the ory session cookie?