If the cookie is set using a domain (supertokens.com) then a leading dot is added by the browsers. To remove this cookie the domain must be present in the remove cookie string.
If the cookie is set without a domain then browsers do not add the leading dot. To remove this cookie the domain must not be present in the remove cookie string.
The test is performed on https://supertokens.com using the following code sample:
// Setting cookie with a domain
document.cookie = "foo=bar; expires=Fri, 23 Jun 2025 12:00:00 UTC; path=/; domain=supertokens.com"
// Removing cookie with a domain
document.cookie = "foo=bar; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=supertokens.com"
// Setting cookie without a domain
document.cookie = "foo=bar; expires=Fri, 23 Jun 2025 12:00:00 UTC; path=/;"
// Removing cookie without a domain
document.cookie = "foo=bar; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/;"
The behaviour on the st-website (leading dot not getting added by the browsers) can be attributed to the fact that we remove the domain attribute while setting the cookie if sessionTokenFrontendDomain matches the hostname which would be the case if the url is example.com:3000 and the sessionTokenFrontendDomain is example.com. This code can be found here.
Backend Cookies ("Set-Cookie" Header)
Case 1:
cookieDomain: "example.com"
Cookie Domain in the DevTools:
.example.com
.example.com
.example.com
Frontend Cookies (document.cookie)
Summary
supertokens.com
) then a leading dot is added by the browsers. To remove this cookie the domain must be present in the remove cookie string.The test is performed on
https://supertokens.com
using the following code sample:Screen Recording -
https://github.com/supertokens/supertokens-node/assets/22813027/59b515ed-8447-495f-8fc2-05beed0cc5c6
https://github.com/supertokens/supertokens-node/assets/22813027/e2ced156-66cd-4ebf-a2ea-9a5ee2d205ad
https://github.com/supertokens/supertokens-node/assets/22813027/484ed050-8f70-4f8d-8d44-688a576eb1b0
st-website sessionTokenFrontendDomain behaviour
Case 1:
sessionTokenFrontendDomain: "example.com"
Cookie Domain in the DevTools:
example.com
example.com
example.com
Case 2:
sessionTokenFrontendDomain: "example.com"
Cookie Domain in the DevTools:
example.com
example.com
example.com
NOTE:
The behaviour on the st-website (leading dot not getting added by the browsers) can be attributed to the fact that we remove the domain attribute while setting the cookie if sessionTokenFrontendDomain matches the hostname which would be the case if the url is
example.com:3000
and thesessionTokenFrontendDomain
isexample.com
. This code can be found here.Browser Versions
This test used the following browser versions -