You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when calling destroy on a cookie, the response contains the cookie with an empty value and no maxAge, changing it to a session cookie. However, it's still there and being sent to the server (meaningless, that's true).
The disadvantage of session cookies is that when users 'restore' their previous browser session the cookies stay there for a long time.
When you would have a lot of cookies being sent through the browser, debugging can become harder (logging all cookies) and well, you didn't destroy the cookie for nothing, right?
Secondly, theoretically speaking a browser could choose to not send all cookies or delete low priority cookies, because of the total size of all 'deleted' cookies with (the default) medium priority, according to spec https://datatracker.ietf.org/doc/html/draft-west-cookie-priority-00#section-4.1.
If you set the response to maxAge: -1 the cookie is being deleted from the cookie jar instantly, which would prevent any issues.
Secondly, you could add priority: "low" in the cookie response, which would prevent any overrides or unwanted behavior in case the maxAge: -1 is not being respected.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Currently, when calling
destroy
on a cookie, the response contains the cookie with an empty value and no maxAge, changing it to a session cookie. However, it's still there and being sent to the server (meaningless, that's true).The disadvantage of session cookies is that when users 'restore' their previous browser session the cookies stay there for a long time.
When you would have a lot of cookies being sent through the browser, debugging can become harder (logging all cookies) and well, you didn't destroy the cookie for nothing, right?
Secondly, theoretically speaking a browser could choose to not send all cookies or delete low priority cookies, because of the total size of all 'deleted' cookies with (the default) medium priority, according to spec https://datatracker.ietf.org/doc/html/draft-west-cookie-priority-00#section-4.1.
If you set the response to maxAge: -1 the cookie is being deleted from the cookie jar instantly, which would prevent any issues.
Secondly, you could add
priority: "low"
in the cookie response, which would prevent any overrides or unwanted behavior in case the maxAge: -1 is not being respected.Beta Was this translation helpful? Give feedback.
All reactions