Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi there !
We are currently adding Ory auth to our Nextjs app using Kratos.

Everything works fine on our case, except except for the logout, we are struggling with one use case:
• If we logout from the app, we get redirected after the logout, then we create a new login flow and are able to sign in properly.
• But if we go to the sign-in page via the url, we logout, then we render the page, create the login flow, and here, we are unable to sign_in, we are getting this error:
```message: "the request was rejected to protect you from Cross-Site-Request-Forgery"
reason: "Please retry the flow and optionally clear your cookies. The request was rejected to protect you from Cross-Site-Request-Forgery (CSRF) which could cause account takeover, leaking personal information, and other serious security issues."```
After investigating, we. found out that the ory_session token was still set in the cookies when creating the login flow in the second use case (We are awaiting the logout flow update to finish before creating it).
The issue disappears if we timeout the login flow creation but this is not really something we want to do.

Has anyone encountered a similar issue ? What were your solutions to this ?