Session cookie survives (maxAge + zero value bug)

koajs / session

Simple session middleware for koa

MIT License

901 stars 113 forks source link

Session cookie survives (maxAge + zero value bug) #142

Open iliakan opened 6 years ago

iliakan commented 6 years ago

I'm using koa-session with params:

{
      key:     'sid',
      prefix:  'sess:',
      httpOnly:  true,
      path:      '/',
      overwrite: true,
      signed:    false,
      maxAge:    3600 * 4 * 1e3, 
      rolling: true
}

Session removal does this: ctx.cookies.set(key, '', opts).

Unfortunately, in "cookies" module, toHeader has this:

if (this.maxAge) this.expires = new Date(Date.now() + this.maxAge);

So no value (cookie deletion) actually leads to empty cookie with future expiration.

cmur2 commented 5 years ago

I encountered the same bug/problem (?) and currently work around this by:

ctx.cookies.set(myFancyNameVar, '', {
  httpOnly: true,
  maxAge: 0
});

which is ugly since I don't want to restate the opts nor to access cookies directly.

Can this issue be addressed?

ejose19 commented 5 years ago

Server should respond with an expired date to clear the cookies in the browser. This should be expected behavior when setting ctx.session = null;

@cmur2 your solution didn't work for me to clear the cookie(s).