I got a strange case when using go Gin, I got a site with this address:

I want to clear the cookies to let user logout when user access this path /logout

so in my Gin code I do it like this:

    for _, cookie := range cookies {
        ctx.SetCookie(cookie.Name, "", -1, "/", "opencsg-stg", false, false)
    }

But it's not working, when I check the headers in browser, it looks like this:

When I changed the code to this:

    for _, cookie := range cookies {
        ctx.SetCookie(cookie.Name, "", -1, "/", "", false, false)
    }

it works and the headers in browser is like this:

Not sure why it is working, anyone knows?

I got a strange case when using go Gin, I got a site with this address: https://opencsg-stg

I want to clear the cookies to let user logout when user access this path /logout

so in my Gin code I do it like this:

    for _, cookie := range cookies {
        ctx.SetCookie(cookie.Name, "", -1, "/", "opencsg-stg", false, false)
    }

But it's not working, when I check the headers in browser, it looks like this:

When I changed the code to this:

    for _, cookie := range cookies {
        ctx.SetCookie(cookie.Name, "", -1, "/", "", false, false)
    }

it works and the headers in browser is like this:

Not sure why it is working, anyone knows?

• go
• cookies

Share Improve this question Follow edited Nov 16, 2024 at 9:28 jub0bs 66.6k2727 gold badges195195 silver badges196196 bronze badges asked Nov 16, 2024 at 3:03 hiveerhiveer 76788 silver badges1717 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 2

TL;DR

Evidence suggests that the cookie(s) you're trying to clear were not created with a Domain attribute. In that case, to effectively clear those cookies, you must set them without specifying any Domain attribute.

More details

Cookies are identified by the following triplet: (name, domain, path). Note that "domain" is tricky: every cookie is associated with a domain, but that doesn't mean it was created with a Domain attribute. Even with all other things being equal, a cookie created with a Domain attribute is different from a cookie created without one. For instance,

Set-Cookie: can-change-username=true; Path=/; Domain=opencsg-stg
Set-Cookie: can-change-username=true; Path=/

creates two distinct cookies in the browser.

Check in your backend code whether those cookies are created with or without a Domain attribute. You can also check this in the browser: the DevTools use a leading . in the value of the Domain column as a visual indicator that a cookie was created with a Domain attribute.