session icon indicating copy to clipboard operation
session copied to clipboard

Published 20 hours ago verified publisher icon koajs

Session cookie survives (maxAge + zero value bug)

Open iliakan opened this issue 5 years ago • 2 comments

I'm using koa-session with params:

{
      key:     'sid',
      prefix:  'sess:',
      httpOnly:  true,
      path:      '/',
      overwrite: true,
      signed:    false,
      maxAge:    3600 * 4 * 1e3, 
      rolling: true
}

Session removal does this: ctx.cookies.set(key, '', opts).

Unfortunately, in "cookies" module, toHeader has this:

if (this.maxAge) this.expires = new Date(Date.now() + this.maxAge);

So no value (cookie deletion) actually leads to empty cookie with future expiration.

iliakan avatar Sep 20 '18 17:09 iliakan

I encountered the same bug/problem (?) and currently work around this by:

ctx.cookies.set(myFancyNameVar, '', {
  httpOnly: true,
  maxAge: 0
});

which is ugly since I don't want to restate the opts nor to access cookies directly.

Can this issue be addressed?

cmur2 avatar Nov 28 '18 12:11 cmur2

Server should respond with an expired date to clear the cookies in the browser. This should be expected behavior when setting ctx.session = null;

@cmur2 your solution didn't work for me to clear the cookie(s).

ejose19 avatar Aug 16 '19 03:08 ejose19