Skip to content
Advertisement

How do I fix the warning “Cookie ‘cookie_name’ will be rejected soon …” that I get after deleting the cookie?

Firefox throws the following warning after deleting a valid cookie:

Cookie “cookie_name” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Scenario

After a valid login I send a cookie to the frontend. This cookie can be used during my session without any problems or warning. The development console also shows me the expected values: SameSite: "Strict" and Secure: true.

Firefox - Storage/Cookies/Details

During the logout process the set cookie is removed by setting max-age=0 or expire=<date_in_past>. The browser deletes the cookie immediately as expected but I also get the warning mentioned above. It doesn’t matter if I remove the cookie in the backend or frontend – the message will always be shown.

Code

Set Cookie – Backend (django):

class Login():
    def post(self, request):
        ...
        response = Response(status=status.HTTP_200_OK, ...)
        response.set_cookie("cookie_name", value, max_age=60*60*5, secure=True, httponly=False, samesite='strict')
        return response

Remove Cookie – Frontend: (preferred way for this cookie in my scenario so far)

function removeItem(key, path, domain) {
    ...
    document.cookie =
      encodeURIComponent(key) +
      //      "=; expires=Thu, 01 Jan 1970 00:00:00 GMT" +
      "=; max-age=0" +
      (domain ? "; domain=" + domain : "") +
      (path ? "; path=" + path : "");
    return true;
  },
}

Remove Cookie – Backend (django): (listed just for completeness; results in same warning)

class Logout():
    def post(self, request):
        ...
        response = Response(status=status.HTTP_200_OK, ...)
        response.delete_cookie("cookie_name")
        return response

Is there a better way to remove cookies that doesn’t result in the warning?

Advertisement

Answer

What you need to do is to add the samesite/secure cookie attributes when you set the cookie, otherwise, it might be rejected by the browser.

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement