Firefox throws the following warning after deleting a valid cookie:
Cookie “cookie_name” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Scenario
After a valid login I send a cookie to the frontend. This cookie can be used during my session without any problems or warning. The development console also shows me the expected values: SameSite: "Strict"
and Secure: true
.
During the logout process the set cookie is removed by setting max-age=0
or expire=<date_in_past>
. The browser deletes the cookie immediately as expected but I also get the warning mentioned above. It doesn’t matter if I remove the cookie in the backend or frontend – the message will always be shown.
Code
Set Cookie – Backend (django):
class Login(): def post(self, request): ... response = Response(status=status.HTTP_200_OK, ...) response.set_cookie("cookie_name", value, max_age=60*60*5, secure=True, httponly=False, samesite='strict') return response
Remove Cookie – Frontend: (preferred way for this cookie in my scenario so far)
function removeItem(key, path, domain) { ... document.cookie = encodeURIComponent(key) + // "=; expires=Thu, 01 Jan 1970 00:00:00 GMT" + "=; max-age=0" + (domain ? "; domain=" + domain : "") + (path ? "; path=" + path : ""); return true; }, }
Remove Cookie – Backend (django): (listed just for completeness; results in same warning)
class Logout(): def post(self, request): ... response = Response(status=status.HTTP_200_OK, ...) response.delete_cookie("cookie_name") return response
Is there a better way to remove cookies that doesn’t result in the warning?
Advertisement
Answer
What you need to do is to add the samesite/secure cookie attributes when you set the cookie, otherwise, it might be rejected by the browser.