From 3c4398ac34641be00b4d5f1a599cda15e68dd528 Mon Sep 17 00:00:00 2001
From: moktamd <moktamd@users.noreply.github.com>
Date: Fri, 27 Mar 2026 14:56:29 +0000
Subject: [PATCH] fix: delete current session on logout instead of only
 expiring the cookie

The logout operation skipped session deletion when disableLocalStrategy
was true, causing sessions to accumulate in the users_sessions table.
For single-session logout, use the existing revokeSession helper instead
of reimplementing session filtering.
---
 .../payload/src/auth/operations/logout.ts     | 77 ++++++++++---------
 1 file changed, 40 insertions(+), 37 deletions(-)

diff --git a/packages/payload/src/auth/operations/logout.ts b/packages/payload/src/auth/operations/logout.ts
index 424991f3dd0..3f09e95c1de 100644
--- a/packages/payload/src/auth/operations/logout.ts
+++ b/packages/payload/src/auth/operations/logout.ts
@@ -8,6 +8,7 @@ import { appendNonTrashedFilter } from '../../utilities/appendNonTrashedFilter.j
 import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
+import { removeExpiredSessions, revokeSession } from '../sessions.js'
 
 export type Arguments = {
   allSessions?: boolean
@@ -45,50 +46,52 @@ export const logoutOperation = async (incomingArgs: Arguments): Promise<boolean>
       }
     }
 
-    if (collectionConfig.auth.disableLocalStrategy !== true && collectionConfig.auth.useSessions) {
-      const where = appendNonTrashedFilter({
-        enableTrash: Boolean(collectionConfig.trash),
-        trash: false,
-        where: {
-          id: {
-            equals: user.id,
+    if (collectionConfig.auth.useSessions) {
+      if (allSessions) {
+        const where = appendNonTrashedFilter({
+          enableTrash: Boolean(collectionConfig.trash),
+          trash: false,
+          where: {
+            id: {
+              equals: user.id,
+            },
           },
-        },
-      })
+        })
 
-      const userWithSessions = await req.payload.db.findOne<{
-        id: number | string
-        sessions: { id: string }[]
-      }>({
-        collection: collectionConfig.slug,
-        req,
-        where,
-      })
+        const userWithSessions = await req.payload.db.findOne<{
+          id: number | string
+          sessions: { id: string }[]
+        }>({
+          collection: collectionConfig.slug,
+          req,
+          where,
+        })
 
-      if (!userWithSessions) {
-        throw new APIError('No User', httpStatus.BAD_REQUEST)
-      }
+        if (!userWithSessions) {
+          throw new APIError('No User', httpStatus.BAD_REQUEST)
+        }
 
-      if (allSessions) {
         userWithSessions.sessions = []
-      } else {
-        const sessionsAfterLogout = (userWithSessions?.sessions || []).filter(
-          (s) => s.id !== req?.user?._sid,
-        )
 
-        userWithSessions.sessions = sessionsAfterLogout
+        // Prevent updatedAt from being updated when only removing sessions
+        ;(userWithSessions as any).updatedAt = null
+
+        await req.payload.db.updateOne({
+          id: user.id,
+          collection: collectionConfig.slug,
+          data: userWithSessions,
+          req,
+          returning: false,
+        })
+      } else if (user._sid) {
+        await revokeSession({
+          collectionConfig,
+          payload: req.payload,
+          req,
+          sid: user._sid,
+          user,
+        })
       }
-
-      // Prevent updatedAt from being updated when only removing a session
-      ;(userWithSessions as any).updatedAt = null
-
-      await req.payload.db.updateOne({
-        id: user.id,
-        collection: collectionConfig.slug,
-        data: userWithSessions,
-        req,
-        returning: false,
-      })
     }
 
     if (shouldCommit) {