`cookies` API not working in some cases

[j4w8n]

Describe the bug

When either of the below cookie removal methods are used, Firefox warns the Cookie <name> has been rejected because it is already expired and it never removes the cookie. Chrome never removes the cookie either.

The workaround is to use cookies.set(), in the DELETE method, and pass both path and sameSite options to reflect values of the existing cookie.
I include path: '/', when creating the cookie in POST, because without it, the path would be set to /api.

Reproduction

https://github.com/j4w8n/cookie-bug

In a api/cookie/+server.js file:

1. create a cookie in a POST request using cookies.set(), including options path and sameSite
2. delete a cookie in a DELETE request using cookies.delete(), or cookies.set() without the path and sameSite options.

General fyi, without passing the sameSite option with cookies.set() in step 2, Firefox will warn that the cookie is misusing the recommended SameSite attribute. Not that it's crucial, because we're trying to delete it anyway.

Logs

No response

System Info

System:
    OS: macOS 12.5.1
    CPU: (4) x64 Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
    Memory: 31.02 MB / 4.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.15.0 - /usr/local/bin/node
    Yarn: 1.22.5 - /usr/local/bin/yarn
    npm: 8.5.5 - /usr/local/bin/npm
  Browsers:
    Chrome: 105.0.5195.102
    Firefox: 104.0.1
    Safari: 15.6.1
  npmPackages:
    @sveltejs/adapter-auto: next => 1.0.0-next.71 
    @sveltejs/kit: next => 1.0.0-next.476 
    svelte: ^3.44.0 => 3.50.0 
    vite: ^3.1.0 => 3.1.0

Severity

serious, but I can work around it

Additional Information

No response

[cdcarson]

@j4w8n I'm working on a fix that I hope will address the "missing keys" issues that you describe. Right now, I have the following as defaults:

{
  httpOnly: true,
  secure: true,
   path: '/',
   sameSite: 'lax',
   ...options // i.e. supplied to set or delete, will override the above
}

Does that look right to you? (It was what I was using before the cookies API, and seemed good.) Let me know.

You can look at the full file here:

kit/packages/kit/src/runtime/server/cookie.js

Line 29 in 1dc1417

set(name, value, options = {}) {

[j4w8n]

@cdcarson yep, looks like sane defaults.

[blazzjosh]

@j4w8n what workaround is available ? - I am currently trying to delete auth cookies using cookies.delete()

[pierregoutheraud]

@blazzjosh You could set the cookie again with a max-age of 0.

[j4w8n]

@cdcarson I tried your changes in #6648. Works great! Looking forward to this being merged.

[david-plugge]

I´m seeing a weird bug when using cookies in a handle hook in this repo, maybe the PR will fix it. Or maybe i´m doing something wrong?

Setting the cookies works in an endpoint but not in a handle hook. However, in another handle it works?

[cdcarson]

@david-plugge can you show a version of your handle hook? I can write a test for it and see if the pr will fix. Thanks

[cdcarson]

@david-plugge Ignore my last comment. I was on my phone and didn't see the link to the repo.