We recently started using cloudflare access to authenticate, identify and restrict access to our webapp.
So far with relative success. However, we have noticed an issue with proper logout from the webapp.
Whenever a user session has expired or revoked by invoking “https://..com/cdn-cgi/access/logout”,
If the user still has a tab of the app opened, any HTTP requests made by our app to our domain receive a 302 redirect response to:
When this is done by entering our domain into the browser address bar, the redirection works fine.
However, if while the session is invalid, our app tries to perform an HTTP asynchronous request, the browser refuses to follow the redirect because of CORS policy (trying to go from our domain into cloudflareaccess.com).
CORS policy prevents the browser from providing any useful information regarding what went wrong with the HTTP request. This way, our app has no way of figuring out that the session is no longer valid
and no way of triggering a proper redirection to the login page.
The error as seen from chrome browser with personal information edited out is attached.
We followed the community tip guide, trying to find resources that might help but came up empty.
We’ve also read up on CORS, and handling CORS errors on the client side.
What we would expect is either:
- Our domain to be an allowed origin by the .cloudflareaccess.com
- The redirect we receive should be to an address within our domain, similar to “https://..com/cdn-cgi/access/login”
Both these solutions can only be applied by cloudflare.
Is it something that we’re missing? Can we properly detect logout and redirect to the login page from the web app itself?
Ticket number: 1831191