You can customize Flarum cookies through the
cookie key in
config.php. That key doesn't exist by default but can be added. It's a two-levels array with another set of keys inside. I don't think there's public documentation of the available values but you can see them in the code here:
Most interesting are probably
cookie.domain. Untested example on how the
config.php could be modified:
<?php return array (
'debug' => false,
'url' => 'https://forum.flarum.tld',
'path' => '/',
'domain' => 'flarum.tld',
Please note that deleting the session or remember cookie doesn't invalidate the tokens however. Hitting the Flarum logout endpoint is necessary to ensure any stolen token can't be re-used.
In my Wordpress integration extension I have implemented a logout loop where Wordpress redirects through Flarum during logout to ensure proper token revocation. I implemented this with a custom logout controller that uses the same code as Flarum but accepts signed URLs instead of CSRF token, allowing for a completely interaction-free logout.
If you don't care about logout being interaction-free, you can redirect the user to
flarum.domain/logout and they will be prompted to click a button to finish logout.