ResponseCookies.Delete(key, cookieOptions) doesn't delete cookie if the caller provides a non-null max-age #52159
Comments
ghost
added
the
area-networking
|
Ah, yeah, I can see how that would be a problem. Delete should set MaxAge to null, 0, or -1. The good thing is that the value is set to string.Empty so that even if the cookie isn't deleted, at least the value is. Most apps should treat the empty value as a missing cookie. I'm a bit surprised the browser doesn't. |
Tratcher
added
bug
Actually, I've found another subtle change in behavior (arguably should be a new issue but I think it's relevant to this discussion). In my app I'm intentionally setting a cookie with a blank value and just using the presence / absence of the cookie as a flag. In .NET 6 this worked. In .NET 8 my app can't see the cookie at all (it's not present in It's easy enough for me to change my app to set a dummy value, so I don't have strong feelings on what the behavior should be. Perhaps this one is my own fault for relying on a blank value. Just something I've run into and others might run into as well. |
|
I also stumbled over empty cookies being missing. RFC 6265 permits |
|
@rjpowers10 @carlreinke Please open a separate issue for that scenario. |
|
Do we need something like this? namespace Microsoft.AspNetCore.Http;
public class CookieOptions
{
public DateTimeOffset? Expires
{
get;
set
{
+ MaxAge = default;
+ _expires = value;
}
}
} |
|
@danirzv No, that depends on the order properties are set in. It's better to have the Delete method reason about what shape the cookie should take. |
|
Is this issue still relevant? I could try tackling it |
|
@ddjerqq Yes please. |
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
dotnet-policy-service
bot
added
the
pending-ci-rerun
wtgodbe
removed
the
pending-ci-rerun
|
@Tratcher The current call on append() at the bottom of the delete method is as follows: Would amending it to force maxAge to If that is the case, I'd be happy to contribute a PR. |
|
Yes, that would likely work. |
|
This should be closed after merged changes in #55169 |
Uh oh!
There was an error while loading. Please reload this page.
Is there an existing issue for this?
Describe the bug
I've run into a subtle change in behavior in
ResponseCookies.Delete(key, cookieOptions)where the cookie isn't deleted if the caller provides a non-null MaxAge..NET 6 behavior
Relevant line of code
A new
CookieOptionsobject is created, copying the values for Path, Domain, Secure, HttpOnly, and SameSite. Expires is forced toDateTimeOffset.UnixEpoch. MaxAge is left with its default value ofnull.End result: cookie is deleted regardless of what the caller provides for Expires and MaxAge.
.NET 8 behavior
Relevant line of code
The new
CookieOptionsis created using the copy constructor. This copies all the properties, including MaxAge.End result: if the caller happens to provide a non-null value of MaxAge the cookie will not be deleted. Or at least, this is the behavior I'm seeing in Chrome 119.0.6045.160. I believe browsers give
max-ageprecedence overexpires.I'm running into this because I have a cached
CookieOptionsthat I'm using for both the set and the delete (mostly to ensure the same Path is used for both calls). But as a side effect, I'm sending a non-null MaxAge to the delete and the cookie is not being deleted.Workaround
Callers can ensure that MaxAge is
nullbefore callingDelete.Expected Behavior
The cookie should be deleted even if the caller happens to provide a non-null MaxAge.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: