1

I'm so far unable to unset a session through a logout endpoint I have created in Rocket.

Below is the code that creates the cookie:

impl AuthToken {
    pub fn from_string(string: String) -> Self {
        AuthToken(string)
    }

    pub fn to_string_ptr(&self) -> &String {
        &self.0
    }

    pub fn as_cookie(&self) -> Cookie<'static> {
        let clone = self.to_string();

        Cookie::build("session-token", clone)
            .path("/")
            .same_site(SameSite::Strict)
            .http_only(true)
            .finish()
    }
}

And this is the code that attempts to destroy it


#[post("/logout")]
pub fn logout(mut cookies: Cookies) -> APIResponse {

    cookies.remove(Cookie::named("session-token"));

    ok().data(json!({
        "success": true
    }))
}

The cookie is added wither when POST '/signup' or POST '/login' is called successfully.

In Chrome devtools you can see the cookie being set in the POST '/login' response.

Login Response Headers

Then I logout using POST '/logout', and get this response:

Logout Response Headers

At this point I do a hard refresh. Afterwards GET '/get-profile' is called which shouldn't work when logged out, but it still sends the cookie in the request headers.

enter image description here

So it seems the session cookie isn't being properly unset, is there a proper way to do this in Rocket?

Gabriel Ratener
  • 595
  • 5
  • 20

1 Answers1

1

When you look at the documentation is says the following:

pub fn remove(&mut self, cookie: Cookie<'static>)
[−]

Removes cookie from this collection and generates a "removal" cookies to send to the client on response. For correctness, cookie must contain the same path and domain as the cookie that was initially set. Failure to provide the initial path and domain will result in cookies that are not properly removed.

A "removal" cookie is a cookie that has the same name as the original cookie but has an empty value, a max-age of 0, and an expiration date far in the past.

This is exactly what happens when you look the the Set-Cookie header. The problem I had was that the removal cookie was set on a different domain than the original cookie. After making sure the removal cookie was set on the same domain the cookie is reset correctly.

Create cookie:

        let domain = env!("DOMAIN", "DOMAIN must be set");
        let app_env = env!("APP_ENV", "APP_ENV must be set");

        let on_production = app_env == "production";

        let cookie = Cookie::build(key, value)
            .domain(domain.to_string())
            .path("/")
            .secure(on_production)
            .max_age(Duration::days(365))
            .http_only(true)
            .finish();

        cookies.add_private(cookie);

Remove cookie:


        let domain = env!("DOMAIN", "DOMAIN must be set");
        let app_env = env!("APP_ENV", "APP_ENV must be set");

        let on_production = app_env == "production";

        let cookie = Cookie::build(name, "")
            .domain("lvh.me")
            .path("/")
            .secure(on_production)
            .max_age(Duration::days(365))
            .http_only(true)
            .finish();

        cookies.remove_private(cookie);
Ramsy de Vos
  • 1,053
  • 15
  • 21