AstroCookies.delete does not support __Host- and __Secure- prefixed cookies #10480
Description
Astro Info
Astro version is irrelevant as you’ll see in the bug description, but here it is:
Astro v3.6.5
Node v20.10.0
System macOS (arm64)
Package Manager pnpm
Output server
Adapter @astrojs/node
Integrations @astrojs/react
@astrojs/tailwind
If this issue only occurs in one browser, which browser is a problem?
No response
Describe the Bug
The AstroCookies.delete API does not work for cookies with __Host- and __Secure- prefixes.
From MDN web docs:
__Host-
If a cookie name has this prefix, it's accepted in a Set-Cookie header only if it's also marked with the Secure attribute, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /. This way, these cookies can be seen as "domain-locked".
__Secure-
If a cookie name has this prefix, it's accepted in a Set-Cookie header only if it's marked with the Secure attribute and was sent from a secure origin. This is weaker than the __Host- prefix.
The key takeaway is the Secure attribute requirement, which based on the main branch of the repo, is not recognized by the AstroCookies.delete method:
As an example, this is how the Chrome treats Set-Cookie headers that violate these requirements:
What's the expected result?
The AstroCookies.delete method should recognize all standard cookie attributes, except for the maxAge and expires, since these are the only attributes that set a valid cookie apart from its expired version.
My current workaround is to use the AstroCookies.set method as follows:
Astro.cookies.set("cookie-name", "deleted", {
expires: new Date(0),
secure: true,
path: "/",
httpOnly: true,
})Link to Minimal Reproducible Example
https://stackblitz.com/edit/github-avarao?file=README.md
Participation
- I am willing to submit a pull request for this issue.