Session not destroyed on firefox

[lanoxx]

It seems that on session destroy the set-cookie header sent to clear the cookie has a time in the past, which seems to break on Firefox and I am not able to clear the session. It works on Chrome though.

set-cookie: session=; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; Path=/; SameSite=Lax; HttpOnly

See: https://stackoverflow.com/a/32706541/474034

[lanoxx]

I guess the problem is here: https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session.lua#L49

Maybe setting to current time would fix it.

[zandbelt]

this is the default way of clearing cookies that works for Firefox as well (in other implementations and other deployments) so the issue must be somewhere else

[lanoxx]

Well the session is actually destroyed, just on the client side the cookie is not cleared. I might be wrong, but I think the reason why it still works is because the value of the session token is invalidated on the server side. Nevertheless I can still see the cookie in the debug console of the client when I use Firefox while its no longer visible when I use Chrome.

[zandbelt]

if you mean the cookies still exist when you peek into the Firefox config, that seems to be due to a bug as reported here: https://bugzilla.mozilla.org/show_bug.cgi?id=576347

however Firefox should not actually send those cookies anymore on the actual requests, I hope you can confirm that

[Tieske]

since that firefox bug has been open for 10 years, I don't think waiting for it to be fixed is worthwhile, and all seems to work as expected. So can we close this?

[bungle]

I think we can close this.