fiber: 🐛 ClearCookie does not remove cookie

Fiber version v2

Issue description ClearCookie does not remove cookie

Code snippet

I have 2 routes.

a POST Sign in route to set the cookie

cookie := new(fiber.Cookie)
cookie.Name = "JWT"
cookie.Value = "....."
cookie.Domain = "mydomain.com"
cookie.HTTPOnly = true
cookie.Expires = expires

c.Cookie(cookie)

and second route is a POST for sign out which removes the cookie

c.ClearCookie("JWT")

In chrome, the cookie continues to exist after Sign Out and user able to make calls to restricted routes. Chrome Version 87.0.4280.141 (Official Build) (x86_64)

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 22 (10 by maintainers)

Most upvoted comments

I just ran into this, and fenny is right about this issue also existing on express.

I’m just chiming in with what my solution was as I think it can be useful to others.

package utils

import (
	"time"
	"github.com/gofiber/fiber/v2"
)

func SetCookie(c *fiber.Ctx, name string, value string, expiration time.Time) {
	c.Cookie(buildCookie(name, value, expiration))
}

func ClearCookie(c *fiber.Ctx, name string) {
	c.Cookie(buildCookie(name, "", time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)))
}

func buildCookie(name string, value string, expires time.Time) *fiber.Cookie {
	cookie := new(fiber.Cookie)
	cookie.Name = name
	cookie.Value = value
	cookie.HTTPOnly = true
	cookie.Expires = expires
	cookie.Path = "/api/v1/auth/"
	cookie.Domain = "example.com"

	return cookie
}

At login I then call my function as

utils.SetCookie(c, "refresh-token", token, expiration)

and to clear it’s just

utils.ClearCookie(c, "refresh-token")

This obviously locks the calls to a single endpoint/domain but for my use case (HTTP Only refresh tokens) it works great, my functions are named more specifically and have expiration computed based on an environment variable.

Destreyf on Oct 13, 2022

I think I know what it is

When I do it, curl returns me

Set-Cookie: JWT=deleted; expires=Fri, 22 Jan 2021 09:53:25 GMT; domain=mydomain.com; path=/; HttpOnly; SameSite=Lax

which includes the domain domain=mydomain.com

So how would ClearCookie know the domain if it’s not a parameter and perhaps it does not use what it knows from the cookie.

curl shows me that when using ClearCookie I get

Set-Cookie: JWT=; expires=Tue, 10 Nov 2009 23:00:00 GMT

So Chrome seems to ignore the fact the cookie came from the same subdomain and thus ignores it.

Btw, my site is on the primary and the REST api code is running on api.domain.com

ruralcoder on Jan 22, 2021

Just tried it again with c.ClearCookie(“JWT”) and still did not work.

ruralcoder on Jan 22, 2021

So Chrome seems to ignore the fact the cookie came from the same subdomain and thus ignores it.

Btw, my site is on the primary and the REST api code is running on api.domain.com

You’re right, nice catch! I think you can use custom way to delete the cookie.

I’ll submit this issue to fasthttp. Thanks again!

kiyonlin on Jan 23, 2021

Okay, could you please give us a runnable demo to reproduce this issue?

kiyonlin on Jan 22, 2021

Tbh, there is no reason that c.ClearCookie does not work. I believe maybe somewhere is not right.

kiyonlin on Jan 22, 2021

Cookie was removed with -3

You were hoping that perhaps the browser pre-saw the expiration and ignored it. Nice!

ruralcoder on Jan 22, 2021

Could you try cookie.Expires = time.Now().Add(-3 * time.Second)?

And c.ClearCookie internally sets cookie expiration to CookieExpireDelete = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)

kiyonlin on Jan 22, 2021

Apart from the fact that c.ClearCookie("JWT") should be functional, the client side javascript cannot remove it because of the HTTPOnly = true.

ruralcoder on Jan 22, 2021