Firefox throws the following warning after deleting a valid cookie:
Cookie “cookie_name” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Scenario
After a valid login I send a cookie to the frontend. This cookie can be used during my session without any problems or warning. The development console also shows me the expected values: SameSite: "Strict" and Secure: true.
During the logout process the set cookie is removed by setting max-age=0 or expire=<date_in_past>. The browser deletes the cookie immediately as expected but I also get the warning mentioned above. It doesn’t matter if I remove the cookie in the backend or frontend – the message will always be shown.
Code
Set Cookie – Backend (django):
class Login():
def post(self, request):
...
response = Response(status=status.HTTP_200_OK, ...)
response.set_cookie("cookie_name", value, max_age=60*60*5, secure=True, httponly=False, samesite='strict')
return response
Remove Cookie – Frontend: (preferred way for this cookie in my scenario so far)
function removeItem(key, path, domain) {
...
document.cookie =
encodeURIComponent(key) +
// "=; expires=Thu, 01 Jan 1970 00:00:00 GMT" +
"=; max-age=0" +
(domain ? "; domain=" + domain : "") +
(path ? "; path=" + path : "");
return true;
},
}
Remove Cookie – Backend (django): (listed just for completeness; results in same warning)
class Logout():
def post(self, request):
...
response = Response(status=status.HTTP_200_OK, ...)
response.delete_cookie("cookie_name")
return response
Is there a better way to remove cookies that doesn’t result in the warning?
Advertisement
Answer
What you need to do is to add the samesite/secure cookie attributes when you set the cookie, otherwise, it might be rejected by the browser.