Cookie's don't clear if maxAge is set

[harryjamesuk]

If a cookie with a maxAge is set, performing res.clearCookie() will not clear the cookie.

We update the expiry in clearCookie() so the expires property is overriden to a past date:

res.clearCookie = function clearCookie(name, options) {
  var opts = merge({ expires: new Date(1), path: '/' }, options);

  return this.cookie(name, '', opts);
};

But then when this.cookie() is called, it sees the cookie has a maxAge property, which will override the expiry date in this code:

  if ('maxAge' in opts) {
    opts.expires = new Date(Date.now() + opts.maxAge);
    opts.maxAge /= 1000;
  }

and the cookie therefore wouldn't be cleared (In fact, it would actually cause the cookie's expiry date to be further into the future).

[dougwilson]

Hm, I'm not sure I'm understanding what you're saying. Can you provide an example reproduction? I just tried it out in Chrome and res.clearCookie cleared it just fine, but perhaps I am misunderstanding the report. An example app that demonstrates the issue would help a lot so we know what is being called with what values.

[harryjamesuk]

Hm, I'm not sure I'm understanding what you're saying. Can you provide an example reproduction? I just tried it out in Chrome and res.clearCookie cleared it just fine, but perhaps I am misunderstanding the report. An example app that demonstrates the issue would help a lot so we know what is being called with what values.

An example would be

res.cookie("example", "value", {maxAge: 600000});
res.clearCookie("example", {maxAge: 600000});

In this case, the cookie example would not be cleared.

[dougwilson]

Ah.. So that is currently intentional, and would be a breaking change to fix. There is another thread this was discussed in, as folks are currently abusing this "feature" to clear the value of the cookie (vs just delete the cookie).

[dougwilson]

Basically the res.clearCookie API will delete the cookie unless you provide a maxAge or an expires, in which case it only clears the value of the cookie. This is as designed currently.

[dougwilson]

Looking at the res.clearCookie docs on the site, it is very minimal documentation not explaining how it works, so I can understand the confusion. Our docs has been the number 1 under-maintained thing, as finding good documentation writers is difficult. We will get the documentation updated to properly explain the API.

[dougwilson]

but providing expires will also expire the cookie to Thu, 01 Jan 1970 00:00:00 GMT rather than the user supplied expires

Hm, that is strange. I tried that out and that is not the behavior I'm seeing. But, perhaps I'm not understanding what you mean. Can you provide code that reproduces that issue? A user-supplied expires to res.clearCookie should be what is used in the final Set-Cookie header (unless maxAge is also provided, in which case maxAge takes precedence).

[harryjamesuk]

but providing expires will also expire the cookie to Thu, 01 Jan 1970 00:00:00 GMT rather than the user supplied expires

Hm, that is strange. I tried that out and that is not the behavior I'm seeing. But, perhaps I'm not understanding what you mean. Can you provide code that reproduces that issue? A user-supplied expires to res.clearCookie should be what is used in the final Set-Cookie header (unless maxAge is also provided, in which case maxAge takes precedence).

Nevermind! You got there too quick! That does actually work as expected and makes sense now! Silly me confused the expected and actual results the wrong way round!

[dougwilson]

Gotcha. Yea, it could work in various different ways, but the worse part here is that our docs are definately lacking in explaining how these APIs work 😭 . I opened a ticket on our website to get them better from this conversation at least.