spring-security/docs/modules/ROOT/pages/reactive/authentication/logout.adoc

[[reactive-logout]]
= Logout

Spring Security provides a logout endpoint by default.
Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
This will:

- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
- redirect back to the login page

Often, you will want to also invalidate the session on logout.
To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:

.Java
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
            new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
    );

    http
        .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
        .logout((logout) -> logout.logoutHandler(logoutHandler));

    return http.build();
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
    val customLogoutHandler = DelegatingServerLogoutHandler(
        WebSessionServerLogoutHandler(), SecurityContextServerLogoutHandler()
    )
    
    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        logout {
            logoutHandler = customLogoutHandler
        }
    }
}
----