stackoom
  简体   繁体   中英

Set-Cookie header no longer removing cookie

 原文  2018-02-25 13:34:20       node.js/ express/ cookies/ browser

Question

So I've been using the following code for a while now

Set cookie 

res.cookie(AUTH_TOKEN_NAME, token, {
  maxAge: AUTH_TOKEN_EXP,
  domain: DOMAIN,
  signed: true,
  httpOnly: true
});

Expire cookie 

res.clearCookie(AUTH_TOKEN_NAME);
res.redirect(303, '/');

And it's been working fine, however, only after just recently deploying to production this code has stopped working. Things to note:

  • Code is ran from a sub domain eg x.domain.com and DOMAIN=domain.com (I've also tried .domain.com which also didn't work)
  • The header is in the response (see below)
  • I'm not explicitly setting path as Express assumes / if it's not provided - regardless, I did this to rule it out, it didn't make a difference.
  • This isn't browser specific, I've not tried it on every browser but behaviour is the same on Chrome or Safari and...
  • This does work locally ie being run from localhost:3000 with DOMAIN=localhost

I don't think this is an Express problem as it seems to be doing it's job, it seems like the problem lies with the browser but the fact it works locally contradicts that so I've came to the conclusion it is something to do with Express.

Redeployed node_modules , double checked versions etc. (I use a lock file anyway) and can't quite put my finger on what's going on.

HTTP Request 

GET /logout HTTP/1.1
Host: x.domain.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://x.domain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,da;q=0.7
Cookie: auth_token=xxxxxx

HTTP Response 

HTTP/1.1 303 See Other
Content-Length: 50
Content-Type: text/html; charset=utf-8
Location: /
Vary: Accept
Server: Microsoft-IIS/10.0
Set-Cookie: auth_token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Express
X-Powered-By: ASP.NET
Date: Sun, 25 Feb 2018 13:24:01 GMT

Versions

  • Node: 8.1.4
  • Express: 4.16.2

1 answers

solution1
 0  2018-02-25 17:38:44

The express docs state, "Web browsers and other compliant clients will only clear the cookie if the given options is identical to those given to res.cookie(), excluding expires and maxAge."

Therefore I would suggest you try: 

res.clearCookie(AUTH_TOKEN_NAME, {
  domain: DOMAIN,
  signed: true,
  httpOnly: true
});

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cookie in Set-Cookie header not being set Set-Cookie header not being sent Set-Cookie not sended on HTTP response header Chrome only sets the first cookie from the 'Set-Cookie' header Set-Cookie in response header is not saved into browser cookie storage Set-Cookie Response Header not setting cross site cookie on Heroku Apollo server set multiple `set-cookie` header in response Can't get set-cookie from header in response with NodeJS Chrome get Set-cookie header but doesnt put it in a new requests Why is the Set-Cookie header not being sent? — using Restify
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM