Langflow: Logout button does not clear session
Description
Summary
The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.
Details
Not in auto login mode. Hosted on localhost. access_token_lf remains present in both Local Storage and Cookies. refresh_token_lf remains present in Cookies.
Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.
LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER:
LANGFLOW_SUPERUSER_PASSWORD:
LANGFLOW_SECRET_KEY:
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"
PoC
Click Logout. Hit refresh to return to previous screen.
Impact
Users on shared computers may falsely believe they have terminated their session.
Patches
Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.7.0
Patches
Vulnerability mechanics
Root cause
"The `/logout` endpoint deleted authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout."
Attack vector
An attacker who gains physical or remote access to a shared computer after a victim clicks Logout can still access the victim's session because the browser kept the authentication cookies (`access_token_lf`, `refresh_token_lf`) [ref_id=2]. The `/logout` endpoint deleted cookies without matching the original `httponly`/`samesite`/`secure`/`domain` parameters, so the browser did not honor the deletion [ref_id=3]. Simply refreshing the page returns the attacker to the previous authenticated screen [ref_id=2].
Affected code
The `/logout` endpoint in `src/backend/base/langflow/api/v1/login.py` deleted cookies without matching the original `httponly`, `samesite`, `secure`, or `domain` parameters, so the browser retained them. The frontend in `src/frontend/src/stores/authStore.ts` and `src/frontend/src/utils/cookie-manager.ts` also did not clear auth cookies on logout.
What the fix does
Patch `[patch_id=6633372]` rewrites the `/logout` endpoint to pass the same `httponly`, `samesite`, `secure`, and `domain` parameters that were used when creating each cookie, ensuring the browser actually removes them. Patch `[patch_id=6633373]` adds `cookieManager.clearAuthCookies()` to the frontend logout flow and extends that method to also remove the `auto_login_lf` cookie, so both server-side and client-side cookie deletion are now consistent.
Preconditions
- configLANGFLOW_AUTO_LOGIN must be set to 'False'
- networkThe application must be hosted on localhost (or any shared-computer scenario)
- inputA user must have logged in and then clicked the Logout button
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.