Identity and Access Management

Problem Statement

The IAM platform currently issues a stateless client-side cookie to maintain user sessions. As a result, when a back-channel logout event occurs, the client-side cookie remains active because it cannot be invalidated server-side.

This creates a challenge in multi-channel environments where users can be simultaneously logged in from multiple clients (e.g., web browsers, mobile apps, or other devices). Each client maintains its own cookie-based session, making centralized session termination ineffective.

Additionally, the system supports a "Remember Me" feature that allows users to stay signed in beyond the server-side session lifetime. This means that even after the server session expires, the client-side stateless cookie continues to authenticate the user until the cookie itself reaches its configured expiry time.

The goal is to design a solution that:

• Ensures back-channel logout can effectively invalidate or neutralize stateless cookies across all user channels.

• Maintains the "Remember Me" user experience where appropriate, without compromising security or session consistency.

------------------------------
Shailesh Kejadiwal
Mr
Unknown
------------------------------

We solved this in a production CIAM rollout by moving from fully stateless long-lived cookies to a hybrid pattern: keep a short-lived access cookie for everyday requests and issue device-scoped opaque refresh tokens (hashed & stored server-side) for the Remember Me experience.
On a back-channel logout we revoke the affected refresh token(s) (or increment a per-user token version) in our device registry (Redis with TTL). That means any existing short-lived access cookie will only live until its small TTL (minutes), and clients can't get a new one because the refresh token is revoked. For immediate cut-off we push a logout event to connected clients; otherwise the short TTL provides a bounded window.
This gives you centralized logout control across browsers/apps while preserving "remember me" convenience at the cost of a small, cheap server-side state (device records + revocation entries).

Hope it helps!

------------------------------
Gagan K. Mathur
✦ Driving Efficiencies and Innovations For Organisations | IAM Leader | Secure Digital Transformation Expert ✦
------------------------------

Original Message:
Sent: Oct 24, 2025 06:43:53 AM
From: Shailesh Kejadiwal
Subject: How to delete client side cookie when server side session is terminated by agent or user?

Problem Statement

The IAM platform currently issues a stateless client-side cookie to maintain user sessions. As a result, when a back-channel logout event occurs, the client-side cookie remains active because it cannot be invalidated server-side.

This creates a challenge in multi-channel environments where users can be simultaneously logged in from multiple clients (e.g., web browsers, mobile apps, or other devices). Each client maintains its own cookie-based session, making centralized session termination ineffective.

Additionally, the system supports a "Remember Me" feature that allows users to stay signed in beyond the server-side session lifetime. This means that even after the server session expires, the client-side stateless cookie continues to authenticate the user until the cookie itself reaches its configured expiry time.

The goal is to design a solution that:

• Ensures back-channel logout can effectively invalidate or neutralize stateless cookies across all user channels.

• Maintains the "Remember Me" user experience where appropriate, without compromising security or session consistency.

------------------------------
Shailesh Kejadiwal
Mr
Unknown
------------------------------