Hi everyone! I’m evaluating Ory Cloud for some of our projects. I just noticed that logout flow does not remove Ory cookies. Is that expected?

Hi Ilya, that is not expected! What Ory cookies linger around? 🙂

playing around with the Vue example logout actually sets cookie

What’s the cookie’s name?

here’s a consequent request or are these different cookies?

These are different cookies,

_auth_session

,

userid

is not from Ory.

csrf_token

is from Ory, but it is a different type of cookie (a security cookie).

__cflb

is from cloudflare

for context: I’m a bit concerned about the latencies that I see when validating sessions on the backend, so I thought if I cache them until expiration and rely on the frontend not having the Ory cookie that would resolve the issue?

Since you are on localhost, it can also come from another application

hm, I guess you’re right!

I understand the latency concern, we are working towards a solution here to answer “is the user still authenticated” within ~30ms for P95 of requests and are aiming to improve even further. /cc @famous-art-85498 @fast-lunch-54279

I see, thank you In general, do you think that it’s a good approach to cache session validation until expiration (or some time) and rely on the client not having the cookie (went through logout flow and the cookie was removed)?

That is for sure an option you can consider. It depends on your security model, but in applications that have less security requirements it is often acceptable. Platforms like Auth0 actually do not offer it any other way (the tokens remain active until they expire), so it seems to be accepted industry practice. In general though, I would recommend a “stale-while-revalidate” strategy where you use the value from the cache but validate it in the background and update the cache once the result is here. https://web.dev/stale-while-revalidate/

I’ll consider this, thank you!

Pleasure!