From 1e5c1ed2431cbf04c2b4a15464abfd28787a91f2 Mon Sep 17 00:00:00 2001
From: Mahbub <mahbub@Mahbubs-MacBook-Pro.local>
Date: Mon, 2 Mar 2026 07:25:29 -0600
Subject: [PATCH 1/2] Set COOKIE_AUTH_ENABLED=true by default to prevent broken
 authentication

---
 api/app/settings/common.py | 2 +-
 docker-compose.yml         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/api/app/settings/common.py b/api/app/settings/common.py
index 50f9b28932c1..601a369b3a87 100644
--- a/api/app/settings/common.py
+++ b/api/app/settings/common.py
@@ -1170,7 +1170,7 @@
 DISABLE_INVITE_LINKS = env.bool("DISABLE_INVITE_LINKS", False)
 PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)
 PREVENT_EMAIL_PASSWORD = env.bool("PREVENT_EMAIL_PASSWORD", default=False)
-COOKIE_AUTH_ENABLED = env.bool("COOKIE_AUTH_ENABLED", default=False)
+COOKIE_AUTH_ENABLED = env.bool("COOKIE_AUTH_ENABLED", default=True)
 USE_SECURE_COOKIES = env.bool("USE_SECURE_COOKIES", default=True)
 COOKIE_SAME_SITE = env.str("COOKIE_SAME_SITE", default="none")
 
diff --git a/docker-compose.yml b/docker-compose.yml
index b404569edd7b..eec9b29b6c86 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,6 +31,7 @@ services:
       USE_POSTGRES_FOR_ANALYTICS: 'true' # Store API and Flag Analytics data in Postgres
 
       ENVIRONMENT: production # set to 'production' in production.
+      COOKIE_AUTH_ENABLED: 'true'
       DJANGO_ALLOWED_HOSTS: '*' # Change this in production
       FLAGSMITH_DOMAIN: localhost:8000 # Change this in production
       DJANGO_SECRET_KEY: secret # Change this in production

From 212cbcca6f8a7bdf0d29bd14c9c89cdf44f6a651 Mon Sep 17 00:00:00 2001
From: Mahbub Alam <alam.mahbub.dev@gmail.com>
Date: Mon, 2 Mar 2026 13:42:59 -0600
Subject: [PATCH 2/2] Invoke logout API in backend on login button click

---
 api/app/settings/common.py              | 2 +-
 docker-compose.yml                      | 1 -
 frontend/common/stores/account-store.js | 5 ++---
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/api/app/settings/common.py b/api/app/settings/common.py
index 601a369b3a87..50f9b28932c1 100644
--- a/api/app/settings/common.py
+++ b/api/app/settings/common.py
@@ -1170,7 +1170,7 @@
 DISABLE_INVITE_LINKS = env.bool("DISABLE_INVITE_LINKS", False)
 PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)
 PREVENT_EMAIL_PASSWORD = env.bool("PREVENT_EMAIL_PASSWORD", default=False)
-COOKIE_AUTH_ENABLED = env.bool("COOKIE_AUTH_ENABLED", default=True)
+COOKIE_AUTH_ENABLED = env.bool("COOKIE_AUTH_ENABLED", default=False)
 USE_SECURE_COOKIES = env.bool("USE_SECURE_COOKIES", default=True)
 COOKIE_SAME_SITE = env.str("COOKIE_SAME_SITE", default="none")
 
diff --git a/docker-compose.yml b/docker-compose.yml
index eec9b29b6c86..b404569edd7b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,7 +31,6 @@ services:
       USE_POSTGRES_FOR_ANALYTICS: 'true' # Store API and Flag Analytics data in Postgres
 
       ENVIRONMENT: production # set to 'production' in production.
-      COOKIE_AUTH_ENABLED: 'true'
       DJANGO_ALLOWED_HOSTS: '*' # Change this in production
       FLAGSMITH_DOMAIN: localhost:8000 # Change this in production
       DJANGO_SECRET_KEY: secret # Change this in production
diff --git a/frontend/common/stores/account-store.js b/frontend/common/stores/account-store.js
index 373f8da730c3..3c0a39d79c4d 100644
--- a/frontend/common/stores/account-store.js
+++ b/frontend/common/stores/account-store.js
@@ -356,9 +356,8 @@ const controller = {
       if (!data.token) {
         return
       }
-      ;(Project.cookieAuthEnabled
-        ? data.post(`${Project.api}auth/logout/`, {})
-        : Promise.resolve()
+
+      data.post(`${Project.api}auth/logout/`, {}
       ).finally(() => {
         API.setCookie('t', '')
         data.setToken(null)