diff --git a/server/auth/auth.go b/server/auth/auth.go
index 7a6fd822b9..358a4eb709 100644
--- a/server/auth/auth.go
+++ b/server/auth/auth.go
@@ -91,6 +91,20 @@ func SetUser(c echo.Context, user *User) error {
 	return nil
 }
 
+func ClearUser(c echo.Context) error {
+	err := clearAccessToken(c)
+	if err != nil {
+		return err
+	}
+
+	err = clearIDToken(c)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func ValidateAuth(c echo.Context, cfgProvider *config.ConfigProviderWithRefresh) error {
 	cfg, err := cfgProvider.GetConfig()
 	if err != nil {
@@ -162,6 +176,23 @@ func setAccessToken(c echo.Context, token string) error {
 	return nil
 }
 
+func clearAccessToken(c echo.Context) error {
+	sess, _ := session.Get(AuthCookie, c)
+	sess.Options = &sessions.Options{
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Secure:   true,
+	}
+	err := sess.Save(c.Request(), c.Response())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func getAuthorizationExtras(c echo.Context) string {
 	sess, _ := session.Get(AuthExtrasCookie, c)
 	if sess == nil {
@@ -192,3 +223,20 @@ func setIDToken(c echo.Context, idToken *IDToken) error {
 
 	return nil
 }
+
+func clearIDToken(c echo.Context) error {
+	sess, _ := session.Get(AuthExtrasCookie, c)
+	sess.Options = &sessions.Options{
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Secure:   true,
+	}
+	err := sess.Save(c.Request(), c.Response())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/server/routes/auth.go b/server/routes/auth.go
index 1afde9e786..b2fe50b01d 100644
--- a/server/routes/auth.go
+++ b/server/routes/auth.go
@@ -33,8 +33,6 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/securecookie"
-	"github.com/gorilla/sessions"
-	"github.com/labstack/echo-contrib/session"
 	"github.com/labstack/echo/v4"
 	"github.com/temporalio/ui-server/v2/server/auth"
 	"github.com/temporalio/ui-server/v2/server/config"
@@ -150,15 +148,10 @@ func authenticateCb(ctx context.Context, oauthCfg *oauth2.Config, provider *oidc
 }
 
 func logout(c echo.Context) error {
-	sess, _ := session.Get(auth.AuthCookie, c)
-	sess.Options = &sessions.Options{
-		Path:     "/",
-		MaxAge:   -1,
-		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
-		Secure:   true,
+	err := auth.ClearUser(c)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "unable to clear user: "+err.Error())
 	}
-	sess.Save(c.Request(), c.Response())
 
 	returnUrl := c.Request().Header.Get("Referer")
 	if returnUrl == "" {