Logout Handling

About

Logout Handling in Spring Security is the process of terminating an authenticated session, ensuring the user is properly logged out and any session data is cleared.

Why is Logout Handling Important?

Security – Prevent unauthorized access after a user logs out.
Session Cleanup – Remove authentication details from memory.
Token Revocation – Ensure JWT or API tokens are invalidated.

How Logout Works in Spring Security?

Spring Security provides built-in logout support that:

Invalidates HTTP session (if using session-based authentication).
Clears SecurityContext (removes authentication details).
Deletes Remember-Me cookies (if enabled).
Redirects users after logout (configurable).

Default Logout Handling in Spring Security

By default, Spring Security enables logout via a GET or POST request to /logout.

For session-based authentication, it invalidates the session.
For JWT or API tokens, additional custom logic is needed.

Implementing Logout in Spring Security

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .formLogin(withDefaults()) // Enables login
            .logout(logout -> logout // Enables logout
                .logoutUrl("/logout") // Custom logout URL
                .logoutSuccessUrl("/login?logout") // Redirect after logout
                .invalidateHttpSession(true) // Invalidate session
                .deleteCookies("JSESSIONID") // Remove cookies
            );

        return http.build();
    }
}

logoutUrl("/logout") → Defines the logout endpoint.
logoutSuccessUrl("/login?logout") → Redirects users after logout.
invalidateHttpSession(true) → Destroys the session.
deleteCookies("JSESSIONID") → Removes session cookies.

Custom Logout Handler

If we need custom logic (e.g., logging, token revocation, auditing), implement a LogoutHandler.

Step 1: Create a Custom Logout Handler

@Component
public class CustomLogoutHandler implements LogoutHandler {

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response,
                       Authentication authentication) {
        if (authentication != null) {
            System.out.println("User " + authentication.getName() + " is logging out.");
        }
        request.getSession().invalidate(); // Invalidate session
    }
}

logout() method executes custom logic (e.g., logging, API calls).
Can be used to log logout events or notify external services.

Step 2: Register the Custom Logout Handler

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Autowired
    private CustomLogoutHandler customLogoutHandler;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .logout(logout -> logout
                .addLogoutHandler(customLogoutHandler) // Register custom logout handler
                .logoutSuccessUrl("/login?logout")
            );

        return http.build();
    }
}

Logout in JWT-Based Authentication

In JWT-based authentication, logout does not rely on session invalidation. Instead, we:

Blacklist JWTs (store invalid tokens in a database or cache).
Use short-lived tokens with refresh tokens.
Clear tokens from client-side storage (e.g., local storage or cookies).

Custom JWT Logout Handler

@Component
public class JwtLogoutHandler implements LogoutHandler {

    @Autowired
    private TokenBlacklistService tokenBlacklistService; // Custom service to blacklist JWT

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        String token = extractToken(request);
        if (token != null) {
            tokenBlacklistService.blacklistToken(token); // Add token to blacklist
        }
    }

    private String extractToken(HttpServletRequest request) {
        String bearerToken = request.getHeader("Authorization");
        return (bearerToken != null && bearerToken.startsWith("Bearer ")) ?
                bearerToken.substring(7) : null;
    }
}

Extracts JWT token from Authorization header.
Adds token to a blacklist (Redis, database, etc.).

Register JWT Logout Handler

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .anyRequest().authenticated()
        )
        .logout(logout -> logout
            .addLogoutHandler(new JwtLogoutHandler())
            .logoutSuccessHandler((request, response, authentication) -> {
                response.setStatus(HttpServletResponse.SC_OK);
            })
        );

    return http.build();
}

logoutSuccessHandler() sends a 200 OK response instead of redirecting.

Logout in OAuth2 Authentication

In OAuth2-based authentication, logging out means:

Clearing the local session.
Revoking the OAuth2 access token (if supported by provider).

@Component
public class OAuth2LogoutHandler implements LogoutHandler {

    @Autowired
    private OAuth2AuthorizedClientService clientService;

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        if (authentication instanceof OAuth2AuthenticationToken) {
            OAuth2AuthenticationToken oauthToken = (OAuth2AuthenticationToken) authentication;
            clientService.removeAuthorizedClient(oauthToken.getAuthorizedClientRegistrationId(), oauthToken.getName());
        }
    }
}

Removes OAuth2 tokens from the client store.

Custom Logout Success Handler

If we need to perform custom logic after logout, implement LogoutSuccessHandler.

@Component
public class CustomLogoutSuccessHandler implements LogoutSuccessHandler {
    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                                Authentication authentication) throws IOException {
        response.setStatus(HttpServletResponse.SC_OK);
        response.getWriter().write("Logout Successful!");
    }
}

Sends a custom response instead of a redirect.

Register Logout Success Handler

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .logout(logout -> logout
            .logoutUrl("/logout")
            .logoutSuccessHandler(new CustomLogoutSuccessHandler())
        );

    return http.build();
}

Security Considerations for Logout Handling

Risk

Mitigation

Session Hijacking

Ensure session invalidation on logout.

Token Replay Attacks

Implement JWT blacklisting.

CSRF Attacks on Logout

Use POST-only logout requests.

PreviousCustom Authentication NextAuthorization

Last updated 8 months ago