From 3df7f4b7026df2ffad911789031e5241d600bed0 Mon Sep 17 00:00:00 2001
From: M1 <m1-pro@M1s-MacBook-Pro.local>
Date: Wed, 18 Mar 2026 03:08:00 +0400
Subject: [PATCH] fix: logout properly expires cookie with matching domain/path
 attributes

---
 apps/web/src/routes/auth.ts      | 2 +-
 apps/web/src/routes/dashboard.ts | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/routes/auth.ts b/apps/web/src/routes/auth.ts
index 7d705dd..5bb0814 100644
--- a/apps/web/src/routes/auth.ts
+++ b/apps/web/src/routes/auth.ts
@@ -80,7 +80,7 @@ export const account = new Elysia({ prefix: "/account" })
   }, { detail: { hide: true } })
 
   .get("/logout", ({ cookie, set }) => {
-    cookie.pingql_key.remove();
+    cookie.pingql_key.set({ value: "", ...COOKIE_OPTS, maxAge: 0 });
     set.redirect = "/dashboard";
   }, { detail: { hide: true } })
 
diff --git a/apps/web/src/routes/dashboard.ts b/apps/web/src/routes/dashboard.ts
index e6296ae..75cd76e 100644
--- a/apps/web/src/routes/dashboard.ts
+++ b/apps/web/src/routes/dashboard.ts
@@ -103,7 +103,8 @@ export const dashboard = new Elysia()
 
   // Logout
   .get("/dashboard/logout", ({ cookie }) => {
-    cookie.pingql_key?.remove();
+    // Explicitly expire with same domain/path so browser actually clears it
+    cookie.pingql_key?.set({ value: "", maxAge: 0, path: "/", domain: process.env.COOKIE_DOMAIN ?? ".pingql.com", secure: process.env.NODE_ENV !== "development", sameSite: "lax" });
     return redirect("/dashboard");
   })