dj-rest-auth
dj-rest-auth copied to clipboard
iMerica
The cookies cannot be deleted on logout
https://github.com/iMerica/dj-rest-auth/blob/8a460ecf9a72aec269b75160e5c97f7ed608e247/dj_rest_auth/jwt_auth.py#L60 https://github.com/iMerica/dj-rest-auth/blob/8a460ecf9a72aec269b75160e5c97f7ed608e247/dj_rest_auth/jwt_auth.py#L62
Please add samesite parameter to the delete_cookie function, because in Chrome for example the cookie cannot be deleted. When i add samesite='None' all is okay.
Is this a cross site scenario?
That does seem likely. I wonder if any django-cors packages are able to supplement this issue with a low-effort patch.
I currently have the same problem.
However, this issue is not limited to Google Chrome for me as I have tested the /logout endpoint on Firefox and it doesn't work either.
I have tested the login and logout on Postman and it works perfectly :
-
Login : Cookies are set by the server
-
Logout : Cookies are deleted without any issue
-
The logout response headers
Using my frontend app. :
- Login : response headers > Cookies
- Logout : response headers > Cookies. Here the
sessionidCookie removal seems to be missing for unknown reasons (even though it is present in the Postman response)
- Checking the Cookies in the browser and they're still set with the initial expiration date
I'm quite confused on what's happening here...
Still not working... I have set all these settings:
CORS_ALLOW_CREDENTIALS = True
SESSION_COOKIE_SECURE = True
JWT_AUTH_SAMESITE = 'None'
JWT_AUTH_SECURE = True
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SAMESITE = 'None'
Works for some requests but definitely not for logout.
Any new on this? I am facing the same issue. The Set-Cookie Header on the /logout is SameSite ="lax" but I've set cookies to None.
/login route comes back with SameSite=None and Secure, but logout doesnt even though its the same cookie its affecting and same header
