nodeSolidServer · bourgeoa · May 24, 2026 · May 24, 2026
diff --git a/lib/api/authn/webid-oidc.mjs b/lib/api/authn/webid-oidc.mjs
@@ -102,9 +102,24 @@ export function middleware (oidc) {
   router.get('/account/password/change', restrictToTopDomain, PasswordChangeRequest.get)
   router.post('/account/password/change', restrictToTopDomain, bodyParser, PasswordChangeRequest.post)
 
-  router.get('/.well-known/solid/logout/', (req, res) => res.redirect('/logout'))
+  router.get(['/.well-known/solid/logout', '/.well-known/solid/logout/'], (req, res) => res.redirect('/logout'))
 
-  router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })
+  router.get('/goodbye', (req, res, next) => {
+    if (!req.session) {
+      return res.render('auth/goodbye')
+    }
+
+    const domain = req.session.cookie && req.session.cookie.domain
+    req.session.destroy((err) => {
+      if (err) {
+        return next(err)
+      }
+
+      const cookieOptions = domain ? { domain, path: '/' } : { path: '/' }
+      res.clearCookie('nssidp.sid', cookieOptions)
+      res.render('auth/goodbye')
+    })
+  })
 
   // The relying party callback is called at the end of the OIDC signin process
   router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)

diff --git a/lib/create-app.mjs b/lib/create-app.mjs
@@ -321,7 +321,10 @@ function initLoggers () {
 function isLogoutRequest (req) {
   // TODO: this is a hack that hard-codes OIDC paths,
   // this code should live in the OIDC module
-  return req.path === '/logout' || req.path === '/goodbye'
+  return req.path === '/logout' ||
+    req.path === '/goodbye' ||
+    req.path === '/.well-known/solid/logout' ||
+    req.path === '/.well-known/solid/logout/'
 }
 
 /**