Streamlit + Cognito: st.logout() doesn’t clear auth cookie → auto-login when switching users

Hi,

I’m using Streamlit with AWS Cognito (Hosted UI / OIDC). Login works, but logout is inconsistent when I try to switch accounts.

Calling st.logout() clears Streamlit’s session, but the browser still has an authentication cookie, so when I click “Sign in” again Cognito (or my ALB/OIDC integration) sometimes re-authenticates automatically and I’m not prompted for credentials.

According to Cognito docs, I should call the Hosted UI logout endpoint:

https://.auth..amazoncognito.com/logout?client_id=<client_id>&logout_uri=

However, I still see auto-login occasionally, which makes me think the relevant cookie is not being cleared (or the logout redirect isn’t happening reliably).

Questions:

1. What’s the correct way to implement a reliable logout flow in Streamlit so the browser auth cookie is cleared every time?

2. If this is behind an ALB with Cognito authentication, do I also need to clear ALB auth cookies (e.g., AWSELBAuthSessionCookie*) in addition to calling Cognito /logout?

Thanks!

You’re right: st.logout() only clears Streamlit state, not browser auth cookies.

Short, reliable approach:

1. Always redirect the browser to Cognito’s Hosted UI logout endpoint (not fetch/XHR):

https://<domain>.auth.<region>.amazoncognito.com/logout
?client_id=<client_id>
&logout_uri=<url-encoded redirect>

Make sure logout_uri is whitelisted in Cognito.

2. If you’re behind an ALB with Cognito auth, you also need to clear ALB cookies. The ALB sets cookies like:

AWSELBAuthSessionCookie*

These are not cleared by Cognito logout alone.

The usual pattern is:

Redirect to Cognito /logout

Redirect back to a public endpoint (no ALB auth)

From there, redirect again to the protected app

Without clearing both Cognito and ALB cookies, auto-login can happen.