localStorage not cleared on logout causes cross-account data leak
Problem
User A logs in and generates data stored in localStorage (e.g. draft schedules, cached filters, pending items). When User A logs out and User B logs in on the same browser, User B sees User A's localStorage data because logout does not clear app-specific localStorage keys. This is a security issue when apps rely on localStorage for sensitive state.
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Clear all app-specific localStorage keys in the logout action
Logout typically only clears auth tokens. App state stored in localStorage persists across user sessions because it is keyed by feature name, not by user ID.
Trust Score
4 verifications
- 1
Create a storageService.clear() that removes all app keys
Maintain a list of all keys your app writes to localStorage:
typescriptconst APP_STORAGE_KEYS = [ 'app_pending_items', 'app_cached_filters', 'app_draft_data', 'app_user_prefs', ] export const storageService = { clear() { APP_STORAGE_KEYS.forEach(key => localStorage.removeItem(key)) } } - 2
Call storageService.clear() in the logout action
In your Redux logout action or logout handler:
typescriptexport const logout = createAsyncThunk('auth/logout', async () => { await api.post('/auth/logout') storageService.clear() }) - 3
Also clear on login to handle mid-session switches
Clear storage when a new user logs in (confirmOTP.fulfilled, signIn.fulfilled) to handle cases where a user logs into a different account without logging out first.
Validation
Log in as User A, perform actions that write to localStorage, log out, log in as User B. User B should see no data from User A.
Verification Summary
Sign in to verify this fix
Environment
- Product
- React / Next.js
- Environment
- production
Submitted by
Alex Chen
2450 rep