0

I'm having a difficult time deleting all cookies using the following code. What seems to happen is that the domain is changed to append a dot in front of it. Instead of deleting all cookies, I get duplicate cookies with slightly different domains. Is there any way to completely remove all cookies no matter what their domain looks like?

Thanks for any help!

//DeleteCookies deletes all cookies
func DeleteCookies(w http.ResponseWriter, r *http.Request) {
    for _, c := range r.Cookies() {
        deleted := &http.Cookie{
        Name: c.Name,
        Path: c.Path,
        //Expires:  time.Unix(0, 0),
        MaxAge:   -10,
        HttpOnly: c.HttpOnly,
        Domain:   c.Domain,
        Secure:   c.Secure,
        Value:    "",
        }
        http.SetCookie(w, deleted)
    }
}
Brent
  • 805
  • 9
  • 20
  • related: https://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side – Henry Sep 09 '20 at 02:10
  • @MuffinTop This is wrong. Cookies are identified by the tripple (Domain,Name,Path) so you must not modify the path when deleting the cookie. – Volker Sep 09 '20 at 04:31

1 Answers1

2

What you try to do doesn't work well as cookies do not work that way.

The easy things first: HttpOnly, Domain and Secure: These values are not transmitted in a HTTP client request, these fields of c will always be empty. The client uses these fields to determine whether to send a (Name,Value)-pair in the Cookie header or not but doesn't send these values.

For HttpOnly, Secure (and SameSite) this does not matter as these (and MaxAge and Expires) do not contribute to the cookie identity.

Cookie identity is based on the tripple (Domain,Path,Name) as sent in a SetCookie header. Often Domain and Path are implicit but they do have defined values on the client.

Now to delete a cookie with identity (Domain-X, Path-X, Name-X) you must send a cookie with the same identity (Domain-X, Path-X, Name-X) and MaxAge=-1. But as explained above the cookie you receive doesn't contain Domain and Path.

There are two ways out:

  1. You must know whether your cookies are domain or host cookies and which path they were set for and use that information to delete them. (I would recommend this.)

  2. Delete all possible cookies. Upon a request to path /foo/bar/wuz the cookies from the client might stem from path /, /foo or /foo/bar (if I remember correctly; test and look it up in RFC 6265). So delete the cookie with name "Name-X" for all these paths. Do the same for the Domain attribute which unfortunately is more complicated. Delete the host cookie (Domain=="") and delete the domain cookies (Domain!=""). Make sure to get the right domain name (the effective TLD plus one).

As you see 2 is pretty complicated. But that is how cookies are designed: The server is expected to know what cookies the servers sets i.e. the server is expected to know the cookie identity (Domain,Path,Name) of all its cookies. The responsibility of the client is to send back the appropriate (Name,Value) pair for a certain request only. If the server wishes to delete a cookie it just sets MaxAge of that cookie to -1. Note that "that cookie" is something the server is expected to know and not infer from a client request.

Volker
  • 40,468
  • 7
  • 81
  • 87