signOut deletes wos_session but default session cookie is wos-session

[rgcottrell]

Describe the bug

The default session cookie name is wos-session (hyphen), but signOut unconditionally deletes wos_session (underscore). Because the cookie that’s actually set (wos-session) is not removed, the browser keeps sending it after sign-out. Subsequent requests think there’s a session present but fail when attempting to refresh the access token. This appears to last as long as the access token is not expired.

To Reproduce

1. Install and configure @workos/authkit-tanstack-react-start in a new TanStack Start app.
2. Do not set WORKOS_COOKIE_NAME (use the default).
3. Sign in; observe a cookie named wos-session is created.
4. Call signOut (e.g., const { signOut } = useAuth(); await signOut();).
5. Inspect cookies: wos-session is still present; no wos_session cookie exists.
6. Navigate or trigger any request that reads the session and refreshes the access token.

Expected behavior

signOut should delete the configured session cookie (defaulting to wos-session) so the user is fully signed out and subsequent requests do not treat the session as present.

Additional context

I observed this while trying the Convex + TanStack Start + WorkOS sample application. The visible effect was that after sign out, the user menu at the top remains showing a signed in user and there is a flash of content as the <Authenticated> content is initially displayed and then shortly replaced by the <Unauthenticated> fallback when Convex rejects the supplied token.

The workaround is to set the cookie name to match what signOut deletes:

# .env.local
WORKOS_COOKIE_NAME=wos_session

[nicknisi]

Ack, good catch. I've opened #8 to address. Thanks for reporting!