Session cookie not cleared if logout route is not at the root level

[Technius]

With SignedCookieBackend, session().clear() doesn't clear cookies if it is called on a route that isn't at the server root (e.g. /path/logout). This problem doesn't happen if Path=/ is added to the Set-Cookie header. I've confirmed this with both Firefox 45 and Chrome 57. I haven't tested this with the RedisBackend.

A minimal demonstration and a workaround can be found in this gist.

The dependencies that I used are

• iron 0.5.1
• mount 0.3.0
• router 0.5.1
• iron-sessionstorage 0.6.6

Edit: Looks like the issue is caused by this line. It seems like since Path is set when the cookie is created, cookie.clear does not remove the cookie.

[untitaker]

Thanks, please check whether #9 fixes your problem.

[Technius]

@untitaker It doesn't work; it could be a bug with cookie 0.5.0. Maybe the fix would be to upgradecookie.

[untitaker]

That sounds sensible. It appears cookie 0.7 has changed a lot from 0.5 and this will require quite a lot of internal changes. I might have time for this next week but right now I can't.

…

On Tue, Apr 04, 2017 at 08:06:31PM -0700, Bryan Tan wrote: @untitaker It doesn't work; it could be a [bug with cookie 0.5.0](rwf2/cookie-rs#75). Maybe the fix would be to upgrade`cookie`. -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #8 (comment)