So hereâs a few things I did for debugging.
I always like to start with the command line â itâs the most âtrueâ way to see what the redirects engine is doing. I use a tool called httpe so the command I use here is just https
which fires off a basic GET request.
~ https https://zen-lewin-04367e.netlify.app/houses-for-sale/
GET /houses-for-sale/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: zen-lewin-04367e.netlify.app
User-Agent: HTTPie/2.3.0
HTTP/1.1 403 Forbidden
Age: 0
Cache-Control: public,max-age=300
Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Feb 2021 17:40:59 GMT
Etag: "2fca8a1083ab4bf690b9086844222bff-ssl"
Server: Netlify
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
X-NF-Request-ID: 70885c53-8056-40dc-b76c-856069614619-53932943
X-Xss-Protection: 1; mode=block
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta http-equiv="Content-Security-Policy" content="">
etc...
So the role-gate for /houses-for-sale/
is working. I sent a GET with no JWT and got kicked out â with a 403 response and the /no-access/
page being rendered as the content of the page. Working great 
I did make an account on the site real quick, so Iâm going to grab the JWT that gave me and use that in another command-line request to the same path, using the JWT as the appropriate cookie header. I want to make sure that the role-gate allows me through with a valid JWT. Obfuscating my JWT for the sake of your site security 
~ https https://zen-lewin-04367e.netlify.app/houses-for-sale/ Cookie:nf_jwt='eyJhbInR5cCI6IkpXVCJ9.eyJleHAiOjE2MTMxNTUxMzMsInN1YiI6IjhjZTA3ODY3LTNlMmYtNGMyN5In19.ixsIuHniUZ8lk79oS_P7Tft_tVR1a9w'
GET /houses-for-sale/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: nf_jwt=eyJhbGciOiJ9.eyJleHAiOjE2MTMxNWV0YWRhdGEiOnsiZnVsbF9uYW1lIjoidGVzdGVyIHN1bGx5In19.ixsPnmP7Tft_tVR1a9w
Host: zen-lewin-04367e.netlify.app
User-Agent: HTTPie/2.3.0
HTTP/1.1 200 OK
Age: 1
Cache-Control: public,max-age=300
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Feb 2021 17:47:51 GMT
Etag: "4691a63d0bf91d06e0c8a0bc4ae7004e-ssl-df"
Server: Netlify
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-NF-Request-ID: e55d6fdf-23ed-4d03-a917-8bc5e15611f3-4538712
X-Xss-Protection: 1; mode=block
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta http-equiv="Content-Security-Policy" content="">
<link rel="preload" as="style" href="https://fonts.googleapis.com/css?family=Poppins:400,500&display=swap" />
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Poppins:400,500&display=swap" media="print" onload="this.media='all'" />
<title>Houses for Sale in Coonoor, Ooty and Kotagiri, The Nilgiris</title>
<meta content="Villa and Houses for Sale in Coonoor, Ooty and Kotagiri. We deal wi....
etc. â the correct page đđ»
So with a valid JWT the page is allowed through. The _redirects
are working great. Generally speaking, that means somethingâs going on with the javascript-level / client-side code thatâs running on your site.
I popped open your site and hit the /houses-for-sale/
route in the browser. Hereâs what I saw in the Network tools:
Thereâs a pretty big flag in there. âSource: Service Workerâ.
If I go ahead and log out, I can see in the network log that the correct logout request was made by netlify-identity-widget
to your Netlify Identity instance â a POST to https://zen-lewin-04367e.netlify.app/.netlify/identity/logout
But again, the service worker is playing a middle-role that it really shouldnât be. Using a service worker on sites that have both public and private content can be really tricky. If itâs not absolutely critical to your development (which⊠I wonât pass opinions on but lots of folks have been fine without SWâs for a long time
) I would advise you to just not use service worker(s) on the site. That should shore up any of the oddness where your local storage and cookies may be clear but youâre getting gated content back anyway. In that case, the SW is probably giving you back the private content because it has no idea about auth and that you logged out 
Hope thatâs helpful!
â
Jon