So I've been using the following code for a while now
Set cookie
res.cookie(AUTH_TOKEN_NAME, token, {
maxAge: AUTH_TOKEN_EXP,
domain: DOMAIN,
signed: true,
httpOnly: true
});
Expire cookie
res.clearCookie(AUTH_TOKEN_NAME);
res.redirect(303, '/');
And it's been working fine, however, only after just recently deploying to production this code has stopped working. Things to note:
x.domain.com
and DOMAIN=domain.com
(I've also tried .domain.com
which also didn't work) path
as Express assumes /
if it's not provided - regardless, I did this to rule it out, it didn't make a difference. localhost:3000
with DOMAIN=localhost
I don't think this is an Express problem as it seems to be doing it's job, it seems like the problem lies with the browser but the fact it works locally contradicts that so I've came to the conclusion it is something to do with Express.
Redeployed node_modules
, double checked versions etc. (I use a lock file anyway) and can't quite put my finger on what's going on.
HTTP Request
GET /logout HTTP/1.1
Host: x.domain.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://x.domain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,da;q=0.7
Cookie: auth_token=xxxxxx
HTTP Response
HTTP/1.1 303 See Other
Content-Length: 50
Content-Type: text/html; charset=utf-8
Location: /
Vary: Accept
Server: Microsoft-IIS/10.0
Set-Cookie: auth_token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Express
X-Powered-By: ASP.NET
Date: Sun, 25 Feb 2018 13:24:01 GMT
Versions
The express docs state, "Web browsers and other compliant clients will only clear the cookie if the given options is identical to those given to res.cookie(), excluding expires and maxAge."
Therefore I would suggest you try:
res.clearCookie(AUTH_TOKEN_NAME, {
domain: DOMAIN,
signed: true,
httpOnly: true
});
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.