Skip to content

Does deleting the session cookie in your browser log you out on the server?

Short answer

No. Deleting the cookie just removes the credential from your browser — the session record (or a still-valid JWT) on the server typically remains usable until it expires or is explicitly invalidated. An attacker who already captured the token can keep using it. The misconception treats the cookie as the session itself; it is only a pointer to server-side state. Real logout must invalidate the session server-side, or revoke and short-TTL the token.

This question separates engineers who understand where session state lives from those who think the cookie is the session. Getting it wrong leads to broken logout flows that leave valid credentials alive.

A session cookie is just a bearer credential — usually an opaque session ID or a signed token — that your browser presents on each request. Deleting it from your browser means you stop sending it. It sends no message to the server; the server isn't even aware you cleared it. For a classic server-side session, the corresponding record in the session store (memory, Redis, a database) is still there and still valid. For a JWT, the situation is worse: the token is self-contained and cryptographically valid until its expiry, with no server lookup at all by default. So if a copy of that cookie or token leaked — captured over a compromised network, stolen from local storage by XSS, or pulled from a proxy log — the attacker can replay it long after you "logged out."

The right mental model

The cookie is a pointer; the authority lives on the server. Logging out must therefore act on the server:

  • Stateful sessions: delete or mark the session record invalid in the store, so the next request with that ID is rejected. Then also clear the client cookie for tidiness.
  • Stateless JWTs: you can't truly delete a signed token, so use short TTLs plus a refresh-token model, and maintain a revocation/deny list (or rotate signing keys) to kill tokens early.

Why it matters in practice

This is exactly why "log out of all devices" and token revocation features exist — they invalidate server-side state so a stolen credential dies. Closing the browser doesn't help either; servers don't expire sessions when a socket drops, and persistent cookies survive a restart. The interview-ready answer: deleting the cookie is a client-side gesture; only server-side invalidation actually ends a session.

Likely follow-ups

  • How does logout differ for an opaque session ID versus a stateless JWT?
  • Why is server-side revocation hard for JWTs, and what patterns address it?
  • What does a 'log out of all devices' feature actually do on the backend?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.