Remove all not removing cookies

[jamilalisgandarov]

Hi. I am using cookies for authentication, but I have a problem with removing cookies when user log out. As I see it doesn't remove cookies in some cases, can't find what's wrong with it. I share my user login, logout functions below. Is there anything wrong?

ng version

• @angular/cli: 1.0.0,
• node: 7.8.0,
• os: win32 x64,
• @angular/animations: 4.0.2
• @angular/common: 2.4.10
• @angular/compiler: 2.4.10
• @angular/core: 2.4.10
• @angular/forms: 2.4.10
• @angular/http: 2.4.10
• @angular/material: 2.0.0-beta.3
• @angular/platform-browser: 2.4.10
• @angular/platform-browser-dynamic: 2.4.10
• @angular/router: 3.4.10
• @angular/cli: 1.0.0
• @angular/compiler-cli: 2.4.10

USER LOGIN

  onLogin(event) {
    event.preventDefault();
    this._authService.onLogin({
      username: this.login.get('email').value,
      password: this.login.get('password').value
    }).subscribe(data => {
      if (data.status == '200') {
        this._cookieService.removeAll();
        this._cookieService.putObject('place_credentials', { token: data.data.place.token, place_id: data.data.place.id });
        this._cookieService.putObject('place_info', {
          cover_image: data.data.place.cover_image,
          place_name: data.data.place.name,
          place_id: data.data.place.id,
          lat: data.data.latitude,
          lng: data.data.longitude,
          place_email: data.data.place.email,
          type: data.data.place.type
        });
        this._router.navigate(['/manage']);
      } else if (data.status == '408') {
        this._notifications.error('Uppps', 'Email is not confirmed');
      } else if (data.status == '407') {
        this._notifications.error('Uppps', 'Credentials are incorrect')
      }
    },
      err => {
        return 2;
      });
  }

USER LOGOUT

  isLogged() {
    let token = this._cookieService.getObject('place_credentials');
    if (token && token['token']) {
      return true;
    } else {
      return false;
    }
  }
  onLogout() {
    let url = this.url + "placeLogout";
    let body = this.getCredentials();
    this._http.post(url, JSON.stringify(body)).map(res => res.json())
      .subscribe(data => {
        if (data.status == '200') {
          this._cookieService.removeAll();
          this._router.navigate(['/login']);
        }
      })
  }

[britztopher]

👍 +1

[salemdar]

First of all, I think a DELETE request would be more appropriate for logging out.

Are you sure that it is always accessing the content of if? My guess would be, when there's something wrong with the api and data status is something other than that 200, it simply doesn't reach there. Until you provide more information than "some cases", I can't tell anything more.

[jamilalisgandarov]

@salemdar I get status 200, there is not any problem about API, because this._router.navigate(['/login']); was working fine, so it reaches there. I think I have fixed it, I was using providers:[CookieService] in my child module, perhaps problem was related with that. It has been fixed after deleting it from the child module.

[salemdar]

Cool. But I strongly recommend migrating to ngx-cookie.

[jamilalisgandarov]

Actually I have migrated it (got same problem). It has been fixed) Thanks

[britztopher]

Im still having this issue. I have an auth service that is in my core module, and im in the same boat as you @jamilalisgandarov where the route is hit, it can read the cookies, however when I try to delete they are still remain.

  // TODO:: need to clear cookies from browser to clear auth token on logout
  public logout() {
    this.sessionStorage.clear();
    //this outputs the cookie like its supposed to
    console.log('auth before delete token cookie::', this.cookies.get('token'));
    this.cookies.removeAll();
    //cookie still remains
    console.log('auth token cookie::', this.cookies.get('token'));
    this.setLoggedIn(false);
  }

Also, this is for both ngx-cookie and angular2-cookie, as ive tried them both

[darkmavis1980]

I have the same issue, remove or removeAll don't remove a thing, cookie is still there

[dpmott]

This may be relevant: https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly

[KarthikSivakumar]

I'm using ngx-cookie@1.0.1 and angular@4.4.6.

I used EditThisCookie extension in google chrome to add Cookies to my application as a session (without HttpOnly) as shown in the below screenshot. Still, remove or removeAll is not working for me.

I have used removeAll in my logout method of my Login service and have used a link to invoke this method.

Has anyone found a solution for this. Any help is much appreciated.

[qcastel]

If that be of any help for someone else, I had the same problem. For my part, it was due to the domain level:

My service was at directory.ob.forgerock.financial but my cookie was .ob.forgerock.financial

I had to explicitly do Cookie.deleteAll("/", ".forgerock.financial"); to make it works.