clearance
clearance copied to clipboard
thoughtbot
Two cookies set: "example.com" and ".example.com"
Hello!
I recently upgraded from 1.6.0 to 2.1.0 and I'm on Rails 6.0.0.
I have noticed that Clearance sets two cookies when I sign in: one for the domain .example.com and another for example.com. They have the same name (remember_token), value, path (/), and size. They differ as follows:
| Field | .example.com | example.com |
|---|---|---|
| Expires | In 1 year | Session |
| Secure | Yes | No |
| HttpOnly | Yes | No |
| SameSite | Lax | - |
Here is an excerpt from my configuration:
Clearance.configure do |config|
config.allow_sign_up = false
config.cookie_domain = (Rails.env.production? ? '.example.com' : nil)
config.routes = false
config.rotate_csrf_on_sign_in = true
config.httponly = true
config.secure_cookie = Rails.env.production?
config.same_site = :lax
end
When I log out Clearance deletes the .example.com cookie but leaves the other one alone.
It looks to me like the .example.com cookie is the "correct" one and the other one is bogus. How do I ensure the other one isn't created in the first place?
Also, I don't use subdomains at all – so should I actually be setting the cookie domain to example.com instead of .example.com?
Many thanks in advance.
