Does .flush() work correctly when a cookie domain is set?

[pashinin]

I have a problem with axum-login crate which uses tower-sessions.

For example:

auth.example.localhost - sets a cookie "id" for a domain ".example.localhost"

Then on logout session.flush().await?; is called but response

Set-Cookie: id=; Max-Age=0; Expires=Mon, 06 Feb 2023 09:20:24 GMT

does not touch a cookie. (I think because there is no "domain" param)

So a cookie is not removed from browser causing warnings:

tower_sessions_core::session: possibly suspicious activity: record not found in store

or maybe I did something wrong. But it looks strange to me.

[maxcountryman]

Did you configure a domain?

If you have, could you provide a minimal code sample that demonstrates what you're seeing?

[pashinin]

Yes, that is what caused a problem.
The problem happens at browser level. If our application is working on "auth.example.com" and we set a cookie for a whole domain ".example.com" - it's ok. But when we do Set-Cookie again (to remove it actually) we must also supply a cookie domain ".example.com" again otherwise browser will not change our cookie.

Browser gets this (without a domain):

Set-Cookie: id=; Max-Age=0; Expires=Mon, 06 Feb 2023 13:48:55 GMT

and thinks it's a cookie for "auth.example.com" and does not delete one created for ".example.com".

https://www.rfc-editor.org/rfc/rfc6265#section-5.1.3

I will make a PR into axum-login, just a couple of lines of what I think must be checked (and maybe fixed in tower-sessions).

[maxcountryman]

Since we don't have an example, it's difficult to say definitively, but I believe this is addressed as of the 0.10.2 release.

If you're still having trouble after updating, please provide a minimal example application that utilizes tower-sessions directly and clearly demonstrates the problem you're encountering.

[pashinin]

Yes, we've made the same change) tested, working.