Transaction cookies are not cleaned up when refresh token has expired

Hi,

I’ve followed the advice in https://github.com/auth0/auth0-spa-js/issues/449 to allow us to handle when the refresh_token has expired. I manually create the client and then call checkSession, instead of using createAuth0Client. I’m using rotating refresh tokens and local storage.

If checkSession fails, I call .logout({localOnly: true}) to clear the token from local storage (otherwise I end up getting errors after re-login) and then immediately call loginWithRedirect.

The problem that I’m running into is that sometimes transaction cookies (a0.spajs.txs…) are being left behind. The cookies are all sent with the requests and it’s possible to end up with enough cookies that I start receiving 431 Request Header Fields Too Large errors which I can only resolve by clearing cookies.

With a long refresh_token expiry time, this is unlikely to become a problem (I’m testing with a very short token lifetime at the moment) but I’d like to make sure my implementation is cleaning up after itself.

Is there any way to clear out the old cookies? Is the fact that this can happen a bug in library or should I be handling it myself?

Thanks