For an OAuth flow, I am setting the access token in a cookie on the server (Express) like so:
res.cookie('name' , 'myname', {httpOnly: false, path:'/'});
res.cookie('access_token', accessToken);
// on the client
console.log(document.cookie); // displays "name=myname; access_token=12345"
When/if the access token is no longer valid, I want to destroy the cookie. So on the client, if the server fails to make a successful request with that access token I am doing this:
document.cookie = 'name=myname; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/';
console.log(document.cookie) // displays "access_token=12345"
So for some reason it's removing the "name" portion of the cookie but not the access token. How can I destroy the cookie entirely?
I saw other comments about how the path should be the same or that httpOnly set to true would prevent javascript from mutating the cookie but I've addressed all that and still the token sticks around in the cookie.
via citizen conn
No comments:
Post a Comment