CODEWITHSUNDEEP
node.jsexpressgoogle-chromehttpcookies
Kote Isaev
Kote Isaev

Reputation: 355

Express clearCookie does not work as expected with options supplied

The code to set session cookie is following:

                        res.cookie(newCookieName, sessionCookie, {
                            domain: getCookiesDomain(),
                            maxAge: ms('30 days'),
                            secure: true,
                            httpOnly: true,
                            sameSite: 'lax'
                        });

On logout we do this:

function clearOneSessionCookie(res:Response, cookieName, sameSite?: 'lax'|'strict'|'none'):void {
    if (sameSite) {
        res.clearCookie(cookieName, {
            domain: getCookiesDomain(),
            maxAge: -1000,
            httpOnly: true,
            secure: true,
            sameSite: sameSite
        });
    } else {
        res.clearCookie(cookieName, {
            domain: getCookiesDomain(),
            maxAge: -1000,
            httpOnly: true,
            secure: true
        });
    }
}



    clearOneSessionCookie(res, newCookieName);
    clearOneSessionCookie(res, newCookieName, 'lax');
    clearOneSessionCookie(res, newCookieName,'strict');
    clearOneSessionCookie(res, legacyCookieName);
    clearOneSessionCookie(res, legacyCookieName, 'lax');
    clearOneSessionCookie(res, legacyCookieName,'strict');

we apply all possible options of clearOneSessionCookie because at various stages of our project moving to different cookie name and options, we used different sameSite options.

I even updated to latest express, cookie-parser packages in hope for fixing that, but no effect so far.

After logout requests, following information displayed at Cookies tab at Google Chrome:

Request Cookies:

Response Cookies:

Notice that there is now row like

So, it seems that call

clearOneSessionCookie(res, legacyCookieName);

Does not work or not understood/recognized by browser. This specific set-cookie has been ignored:

set-cookie: old_cookie_name=; Max-Age=-1; Domain=www.example.com; Path=/; Expires=Sat, 04 Jun 2022 15:27:10 GMT; HttpOnly; Secure

What is the best way to clear a cookie with old name and without explicit Same-Site value applied?

Thanks for your answers and time.

Update: Clarification of symptoms of problem: The legacyCookieName cookie with not set (no value for SameSite attribute) as outcome the existing users who was signed in before migration to new cookie setting are unable to sign out of website.

Update Even If I made a workaround for this problem (see marked answer), if someone would offer a better working solution while bounty is active, prize is yours.

Upvotes: 1

Views: 990

Answers (2)

Kote Isaev
Kote Isaev

Reputation: 355

After trying various tricks and tweaks to settings of legacy cookie removal API call, I came to conclusion that so far there is a single workaround for the bug being described:

  1. add to responses a new cookie like authProtocolVersion, with value like 1 if session involved in request processing.
  2. If this cookie was already present at stage of request arrival and request must interact with session, this will update the session cookie analysis behavior to skip/ignore legacySyssionCookie even if it still present, and newCookieName not present on request arrival.
  3. still sending on logout cookie cleanup during logout the clearOneSessionCookie calls in all possible combinations of SameSite - not set, none, lax, strict, to make sure that eventually the legacy auth cookie will be cleared as soon as that bug with cookies cleanup will be fixed at browser side.

Upvotes: 1

Muneeb Ejaz
Muneeb Ejaz

Reputation: 884

with the new chrome update

if you don't specify sameSite then it defaults to sameSite:'lax' by default.

so if you set a cookie with sameSite:'lax' and clearCookie with no SameSite property then the cookie gets deleted. because no samesite is = sameSite:'lax'

Upvotes: 0

Related Questions