Unable to remove session cookie in Firefox using JavaScript

Question

For our front-end application, we are using authentication with session cookie. When user needs to be authenticated he is redirected to log-in page, after that he is redirected to application. The session cookie is set. The ugly part is that we don't have any control over authentication server, and from what I am seeing, with each request from client, the value in the cookie is updated.

The problem is, when the user wants to log-out, we are just removing session cookie. This approach is working great in all browsers except Firefox.

For some reason, Firefox can't remove or update the cookie. When we try to do that, Firefox immediately creates new one with valid value.

For now we tried several things:

1. Trying to remove the cookie.
2. Updating the cookie (expiration, name and etc).

We tried the following code:

$.removeCookie('cookie_key');

$.cookie('cookie_key', null); 

document.cookie = '';

Any ideas where the problem might be?

Answer 1

Have you tried this solution from this answer ? :

function delete_cookie( name, path, domain ) {
  if( get_cookie( name ) ) {
    document.cookie = name + "=" +
      ((path) ? ";path="+path:"")+
      ((domain)?";domain="+domain:"") +
      ";expires=Thu, 01 Jan 1970 00:00:01 GMT";
  }
}

Or:

function delete_cookie( name ) {
  document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
}

Also did you take a look at the developer.mozilla.org page about cookies?

syntax:

docCookies.removeItem(name[, path[, domain]])

Answer 2

After running into a similar issue myself, I came to the following conclusion: Unlike Chrome, Firefox requires path=/; . On top of that, domain=… may only be provided if the cookie was set with a domain. The developer tools of both Chrome and Firefox show a domain in either case. If a particular cookie cannot be deleted with the domain set, then try to remove it without a domain set and vice versa. The following code works for me in both Chrome and Firefox when the second parameter is set appropriately:

const date = new Date(0).toUTCString();
function clearCookie(name, domain = true) {
    document.cookie = name + '=; path=/; expires=' + date + (domain ? '; domain=your-domain.example' : '');
}

Furthermore, Firefox's refresh items button in the storage tab of its developer tools does not work correctly in version 88.0. You can check whether the cookies (without the HttpOnly flag) were removed only with console.log(document.cookie); .