kit icon indicating copy to clipboard operation
kit copied to clipboard
verified publisher icon sveltejs

cookie.delete() not working on mobile

Open myhrmans opened this issue 2 years ago • 3 comments

Describe the bug

When trying to call the cookie.delete() function it does work on desktop browsers but it does not work in mobile.

in /about/+page.server.ts

cookies.set('session', 'id', {
		// send cookie for every page
		path: '/',
		// server side only cookie so you can't use `document.cookie`
		httpOnly: true,
		sameSite: 'strict',
		// only sent over HTTPS in production
		secure: process.env.NODE_ENV === 'production',
		// set cookie to expire after a month
		maxAge: 60 * 60 * 24 * 30,
	})

in hooks.server.ts

event.cookies.delete('session',` { path: '/' `});

Reproduction

https://github.com/myhrmans/sveltekit-cookie-bug

Logs

No response

System Info

Computer: 
 System:
    OS: Windows 10 10.0.22621 (its windows 11 haha dont know why it says this)
    CPU: (12) x64 Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz
    Memory: 15.93 GB / 31.93 GB
  Binaries:
    Node: 18.12.1 - C:\Program Files\nodejs\node.EXE
    Yarn: 3.3.0 - C:\Program Files\nodejs\yarn.CMD
    npm: 8.19.2 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chromium (108.0.1462.76)
  npmPackages:
    @sveltejs/adapter-auto: ^1.0.0 => 1.0.0
    @sveltejs/kit: ^1.0.0 => 1.0.7
    @sveltejs/package: ^1.0.0 => 1.0.2
    svelte: ^3.54.0 => 3.55.0
    vite: ^4.0.0 => 4.0.4

Mobile: 
 OS: Android 13
 Browser: Chrome

Severity

serious, but I can work around it

Additional Information

No response

myhrmans avatar Jan 10 '23 18:01 myhrmans

There's no login in the code you pushed.

Please provide a proper reproduction, including saying how you interacted with the app, what you expected, and what actually happened.

Conduitry avatar Jan 10 '23 18:01 Conduitry

There's no login in the code you pushed.

Please provide a proper reproduction, including saying how you interacted with the app, what you expected, and what actually happened.

Sorry, I was a little fast on the trigger. I also noticed now that the issue sometimes happens in chrome on my computer.. I might be doing something wrong, not sure. It might have something to do with the refresh of page.

Here are the instructions:

  1. Clone repo https://github.com/myhrmans/sveltekit-cookie-bug
  2. npm install
  3. npm run dev
  4. open page (there should be no cookie atm)
  5. navigate to /about or press the "Press here to set cookie" in the navbar.
  6. Now there should be a cookie.
  7. navigate to home again and refresh the page.
  8. check log in terminal.
  9. check developer tools in chrome, see that cookie is still there

myhrmans avatar Jan 10 '23 20:01 myhrmans

I can't reproduce this given the above steps, the cookie disappears after a refresh (tested in Chrome). What I see though is that sometimes - for some reason - Chrome keeps showing the cookie as present, but after a manual refresh of the displayed cookies in the dev tools (not another refresh of the page itself) it disappears. Maybe the same - the tool tricking you - happens for your mobile setup?

dummdidumm avatar Jan 11 '23 09:01 dummdidumm

I think you also need to add the secure: false flag when deleting the cookie. I encountered the exact issue on mobile and tried to replicate on the desktop. Here is the result

image

With that, I explicitly set the secure flag on cookies.delete

cookies.delete(
    'access_token',
    {
        path: `${base}/`,
        secure: false,
    }
)

It now works as expected

SiNONiMiTY avatar Jul 01 '23 22:07 SiNONiMiTY