Logout.do redirects to navpage.do in an Incognito BrowserIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When using the logout.do parameter in the instance URL, the behavior in an incognito window differs from the expected outcome.Instead of processing the redirection defined after logout.do, the browser automatically redirects to navpage.do, ignoring any additional parameters. The expected behavior is that, upon logout, the user should be redirected to the URL specified in the sysparm_goto_url parameter — whether it is an internal or external destination. However, when executed in an incognito session, the system consistently redirects to: https://<instance_name>.service-now.com/navpage.do Example https://<instance_name>.service-now.com/logout.do?sysparm_goto_url=https://<instance_name>.service-now.com/sp In this case, instead of navigating to the specified Service Portal (/sp), the user is redirected to navpage.do immediately after logout when using an incognito window. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When accessing a URL in the following format: https://<instance_name>.service-now.com/logout.do?sysparm_goto_url=<internal_URL> The system does not honor the redirection defined in the sysparm_goto_url parameter.Even when the target URL is properly URL-encoded, the result remains the same. Example (encoded URL) https://<instance_name>.service-now.com/logout.do?sysparm_goto_url=https%3A%2F%2F<instance_name>.service-now.com%2Fsp In both cases, the user is redirected to navpage.do instead of the intended destination.This redirection represents the current behavior of the issue observed when executing logout.do — especially when tested in an incognito window. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All versions Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When using the logout.do endpoint in the following format: https://<instance_name>.service-now.com/logout.do?sysparm_goto_url=<redirection> an incognito window does not contain a valid JSESSIONID or glide_user_session.Because of this, ServiceNow cannot perform a proper logout operation, resulting in a redirection first to session_timeout.do, and then to navpage.do, instead of continuing to the specified sysparm_goto_url=<redirection> parameter. To confirm this behavior, it is recommended to review the HAR file from the browser's Network tab. This allows you to trace the redirection sequence and identify how logout.do is being processed after it is triggered. Example HAR Output In the first key-value pair of the Location header, it can be observed that no session was detected during the logout.do request.Neither JSESSIONID nor glide_user_session were present, leading to a redirection to session_timeout.do: { "request": { "method": "GET", "url": "https://<instance_name>.service-now.com/logout.do?sysparm_goto_url=%2F%3F%3D<URL>" }, "response": { "status": 302, "statusText": "Found", "headers": [ { "name": "Location", "value": "/session_timeout.do" }, { "name": "Cache-Control", "value": "no-cache, no-store, must-revalidate" }, { "name": "Pragma", "value": "no-cache" } ] } }, { "request": { "method": "GET", "url": "https://<instance_name>.service-now.com/logout.do?sysparm_goto_url=%2Fpsp%3Fid%3<instance_name>.service-now.com/sp" }, "response": { "status": 302, "statusText": "Found", "headers": [ { "name": "Location", "value": "/session_timeout.do" } ] } } The next entries show the redirection sequence after logout.do fails to locate a session to terminate: { "request": { "url": "https://<instance_name>.service-now.com/session_timeout.do" }, "response": { "status": 302, "headers": [ { "name": "Location", "value": "/navpage.do" } ] } }, { "request": { "url": "https://<instance_name>.service-now.com/navpage.do" }, "response": { "status": 200 } } As shown above, the logout.do call redirects to session_timeout.do, which ultimately leads to navpage.do. This confirms that the behavior occurs because no valid session was available to log out. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When working with logout.do, the behavior described is expected and consistent across all ServiceNow versions. This endpoint is designed to log out users, which inherently requires a valid JSESSIONID. Therefore, redirects such as session_timeout.do followed by navpage.do may occur as part of the normal logout process. To minimize these redirects — especially when not using an incognito window — you can review the glide.security.url.whitelist property under System Properties. Ensuring that the desired external URL is included in this whitelist allows ServiceNow to recognize it as a trusted redirection target. In summary, the purpose of this article is to clarify the logout.do works as intended, particularly in incognito sessions. Any attempt to modify or bypass this native behavior would require a customization, which is outside of standard platform functionality. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Enforce URL allowlist check