What you try to do doesn't work well as cookies do not work that way.
The easy things first:
HttpOnly, Domain and Secure: These values are not transmitted in a HTTP client request, these fields of c
will always be empty. The client uses these fields to determine whether to send a (Name,Value)-pair in the Cookie
header or not but doesn't send these values.
For HttpOnly, Secure (and SameSite) this does not matter as these (and MaxAge and Expires) do not contribute to the cookie identity.
Cookie identity is based on the tripple (Domain,Path,Name) as sent in a SetCookie
header. Often Domain and Path are implicit but they do have defined values on the client.
Now to delete a cookie with identity (Domain-X, Path-X, Name-X) you must send a cookie with the same identity (Domain-X, Path-X, Name-X) and MaxAge=-1. But as explained above the cookie you receive doesn't contain Domain and Path.
There are two ways out:
You must know whether your cookies are domain or host cookies and which path they were set for and use that information to delete them. (I would recommend this.)
Delete all possible cookies. Upon a request to path /foo/bar/wuz
the cookies from the client might stem from path /
, /foo
or /foo/bar
(if I remember correctly; test and look it up in RFC 6265). So delete the cookie with name "Name-X" for all these paths. Do the same for the Domain attribute which unfortunately is more complicated. Delete the host cookie (Domain=="") and delete the domain cookies (Domain!=""). Make sure to get the right domain name (the effective TLD plus one).
As you see 2 is pretty complicated. But that is how cookies are designed: The server is expected to know what cookies the servers sets i.e. the server is expected to know the cookie identity (Domain,Path,Name) of all its cookies. The responsibility of the client is to send back the appropriate (Name,Value) pair for a certain request only. If the server wishes to delete a cookie it just sets MaxAge of that cookie to -1. Note that "that cookie" is something the server is expected to know and not infer from a client request.