fiber: ๐ ClearCookie does not remove cookie
Fiber version v2
Issue description ClearCookie does not remove cookie
Code snippet
I have 2 routes.
- a POST Sign in route to set the cookie
cookie := new(fiber.Cookie)
cookie.Name = "JWT"
cookie.Value = "....."
cookie.Domain = "mydomain.com"
cookie.HTTPOnly = true
cookie.Expires = expires
c.Cookie(cookie)
and second route is a POST for sign out which removes the cookie
c.ClearCookie("JWT")
In chrome, the cookie continues to exist after Sign Out and user able to make calls to restricted routes.
Chrome Version 87.0.4280.141 (Official Build) (x86_64)
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 22 (10 by maintainers)
I just ran into this, and fenny is right about this issue also existing on express.
Iโm just chiming in with what my solution was as I think it can be useful to others.
At login I then call my function as
and to clear itโs just
This obviously locks the calls to a single endpoint/domain but for my use case (HTTP Only refresh tokens) it works great, my functions are named more specifically and have expiration computed based on an environment variable.
I think I know what it is
When I do it, curl returns me
which includes the domain
domain=mydomain.com
So how would ClearCookie know the domain if itโs not a parameter and perhaps it does not use what it knows from the cookie.
curl shows me that when using ClearCookie I get
So Chrome seems to ignore the fact the cookie came from the same subdomain and thus ignores it.
Btw, my site is on the primary and the REST api code is running on
api.domain.com
Just tried it again with c.ClearCookie(โJWTโ) and still did not work.
Youโre right, nice catch! I think you can use custom way to delete the cookie.
Iโll submit this issue to fasthttp. Thanks again!
Okay, could you please give us a runnable demo to reproduce this issue?
Tbh, there is no reason that
c.ClearCookie
does not work. I believe maybe somewhere is not right.Cookie was removed with -3
You were hoping that perhaps the browser pre-saw the expiration and ignored it. Nice!
Could you try
cookie.Expires = time.Now().Add(-3 * time.Second)
?And
c.ClearCookie
internally sets cookie expiration toCookieExpireDelete = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
Apart from the fact that
c.ClearCookie("JWT")
should be functional, the client side javascript cannot remove it because of theHTTPOnly = true
.