CONCEPT Cited by 1 source
Cosmetic logout¶
Cosmetic logout is the vulnerability where a user-visible "log out" action clears local state (cookies, UI) but does not actually revoke the underlying token at the authority — so an attacker who captured the token before logout can keep using it indefinitely.
The term (Fly.io, restating a widely-cited cryto.net blog post) is a direct shot at JWT-based session schemes that handle logout by "forgetting the token on the client" rather than revoking it server-side:
"Revocation isn't a corner case. It can't be an afterthought. We're potentially revoking tokens any time a user logs out. If that doesn't work reliably, you wind up with 'cosmetic logout', which is a real vulnerability. When we kill a token, it needs to stay dead." (Source: sources/2025-03-27-flyio-operationalizing-macaroons.)
Why it's specifically a JWT-era problem¶
JWTs with no server-side state are the canonical offender: "logout" on the client side is the only thing a purely stateless design allows, and any deployed JWT in the wild remains valid until expiration. Stateful-token designs (like Macaroons or classic DB-session cookies) can revoke authoritatively.
The Fly.io remedy¶
The tkdb blacklist table + nonce-level revocation + feed-
based cache invalidation ensures logout actually kills the
token and that the kill propagates to cached verifiers
within feed-poll interval:
CREATE TABLE blacklist (
nonce BLOB NOT NULL UNIQUE,
required_until DATETIME,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
Revocation is nonce-level: "every Macaroon in the lineage of that nonce is now dead."
Seen in¶
- sources/2025-03-27-flyio-operationalizing-macaroons — canonical wiki instance; cosmetic logout named as the anti-pattern Fly.io's revocation design is built to prevent.