Include the Domain= directive when deleting cookies
Closed this issue · 2 comments
avoine commented
I was chasing a bug where users were not correctly disconnected from applications and find that
when mellon sets his cookie it sets the domain directive but not when it removes it.
The browser then ignores the cookie deletion and the user is still logged in.
Request URL:https://mywebsite.com/mellon/postResponse Request Method:POST Status Code:303 See Other [...] Set-Cookie:mellon-cookie=abcdef..; Version=1; Path=/; Domain=mywebsite.com;
vs
Request URL:https://mywebsite.com/mellon/logout?SAMLRequest=ABCD... Request Method:GET Status Code:303 See Other [...] Set-Cookie:mellon-cookie=NULL; version=1; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/
In my test adding the domain clears the cookie correctly.
olavmrk commented
Hi,
I had a look at the code now, and I see the error. It should be fixed. However, you should still be logged out -- we are not dependent on the cookie for deciding if a session is active or not.