Logout does not set cookie session to empty in all browser tabs

Dear all, we have an Angular application with an iframe to encapsulate a grafana web app (deployed in a docker istances with a custom config file grafana.ini).

When we enter in the grafana section inside the Angular app, a login post request is executed with username and password to authenticate on grafana. In order to avoid issues with the authentication, when we leave the grafana section, we execute a logout get request to grafana (to the endpoint /logout).

We have observed that the grafana cookie session (called grafana_session) is deleted from the angular app after the logout while in the grafana web app the cookie is still set (the value of the cookie is the same of the deleted cookie of the angular app).

What we desired is delete all grafana cookies from all client sessions after the logout request.
How can we manage this behaviour?

Thanks!

It is not clear what you are doing. But:

1.) Your app must support multi tab logout = tab which initiated logout must be able to broadcast that logout event to other tabs and they must be able to process it as well, e.g. javascript - How multi-tab logout can be managed in reactJS? - Stack Overflow

2.) Iframe is isolation on the browser level, so I would be suprised if one iframed Grafana will be able to broadcast anything to another iframed Grafana in another tab. Iframes are really bad design and they introduce this kind of (also security) problems.

Hi @jangaraj thanks a lot for your help. Have you any suggestion about set session cookie on grafana? Like this link: Grafana UI Session cookie contains "max-age" attribute. Any way to remove it through configuration?

Thanks

I would use nginx reverse proxy and force required cookie policy there. security - remove specific cookie in nginx reverse proxy - Stack Overflow I don’t believe you can customize cookie on this low level in the Grafana.

Ok nice. Thanks for your help. Another question, can we use session cookie instead persistent cookie in Grafana?

:person_shrugging: - the best option is to try

yes but how shoud we modify the grafana.ini file? Because we find only persistent cookie lifetime