Home > other >  Express clearCookie does not work as expected with options supplied
Express clearCookie does not work as expected with options supplied

Time:06-13

The code to set session cookie is following:

                        res.cookie(newCookieName, sessionCookie, {
                            domain: getCookiesDomain(),
                            maxAge: ms('30 days'),
                            secure: true,
                            httpOnly: true,
                            sameSite: 'lax'
                        });

On logout we do this:

function clearOneSessionCookie(res:Response, cookieName, sameSite?: 'lax'|'strict'|'none'):void {
    if (sameSite) {
        res.clearCookie(cookieName, {
            domain: getCookiesDomain(),
            maxAge: -1000,
            httpOnly: true,
            secure: true,
            sameSite: sameSite
        });
    } else {
        res.clearCookie(cookieName, {
            domain: getCookiesDomain(),
            maxAge: -1000,
            httpOnly: true,
            secure: true
        });
    }
}



    clearOneSessionCookie(res, newCookieName);
    clearOneSessionCookie(res, newCookieName, 'lax');
    clearOneSessionCookie(res, newCookieName,'strict');
    clearOneSessionCookie(res, legacyCookieName);
    clearOneSessionCookie(res, legacyCookieName, 'lax');
    clearOneSessionCookie(res, legacyCookieName,'strict');

we apply all possible options of clearOneSessionCookie because at various stages of our project moving to different cookie name and options, we used different sameSite options.

I even updated to latest express, cookie-parser packages in hope for fixing that, but no effect so far.

After logout requests, following information displayed at Cookies tab at Google Chrome:

Request Cookies:

  • old_cookie_name: domain = www.example.com, path = /, expires = Future_Date_1, HttpOnly = yes, Secure = yes, SameSite=[not set!]
  • new_cookie_name: domain = www.example.com, path = /, expires = Future_Date_2, HttpOnly = yes, Secure = yes, SameSite=Lax

Response Cookies:

  • old_cookie_name: domain = www.example.com, path = /, max-age: -1000 ms, HttpOnly = yes, Secure = yes, Same-Site: Lax

  • old_cookie_name: domain = www.example.com, path = /, max-age: -1000 ms, HttpOnly = yes, Secure = yes, Same-Site: Strict

  • new_cookie_name: domain = www.example.com, path = /, max-age: -1000 ms, HttpOnly = yes, Secure = yes, Same-Site: Lax

  • new_cookie_name: domain = www.example.com, path = /, max-age: -1000 ms, HttpOnly = yes, Secure = yes, Same-Site: Strict

Notice that there is now row like

  • old_cookie_name: domain = www.example.com, path = /, max-age: -1000 ms, HttpOnly = yes, Secure = yes, Same-Site: [not set]

So, it seems that call

clearOneSessionCookie(res, legacyCookieName);

Does not work or not understood/recognized by browser. This specific set-cookie has been ignored:

set-cookie: old_cookie_name=; Max-Age=-1; Domain=www.example.com; Path=/; Expires=Sat, 04 Jun 2022 15:27:10 GMT; HttpOnly; Secure

What is the best way to clear a cookie with old name and without explicit Same-Site value applied?

Thanks for your answers and time.

Update: Clarification of symptoms of problem: The legacyCookieName cookie with not set (no value for SameSite attribute) as outcome the existing users who was signed in before migration to new cookie setting are unable to sign out of website.

Update Even If I made a workaround for this problem (see marked answer), if someone would offer a better working solution while bounty is active, prize is yours.

CodePudding user response:

with the new chrome update

if you don't specify sameSite then it defaults to sameSite:'lax' by default.

so if you set a cookie with sameSite:'lax' and clearCookie with no SameSite property then the cookie gets deleted. because no samesite is = sameSite:'lax'

CodePudding user response:

After trying various tricks and tweaks to settings of legacy cookie removal API call, I came to conclusion that so far there is a single workaround for the bug being described:

  1. add to responses a new cookie like authProtocolVersion, with value like 1 if session involved in request processing.
  2. If this cookie was already present at stage of request arrival and request must interact with session, this will update the session cookie analysis behavior to skip/ignore legacySyssionCookie even if it still present, and newCookieName not present on request arrival.
  3. still sending on logout cookie cleanup during logout the clearOneSessionCookie calls in all possible combinations of SameSite - not set, none, lax, strict, to make sure that eventually the legacy auth cookie will be cleared as soon as that bug with cookies cleanup will be fixed at browser side.

Page link:https//www.codepudding.com/other/440054.html

Prev:CSS :not(img){ background-color : $c ;...} img{ background-color:transparent ;...} works on SOME pag
Next:Recursively sum all digits until number is single digit
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding