Description
Hi.
I have a simple server (ASP.NET Core) with cookie Authentication that is sending to my curl client a Set-Cookie at login, and another one to overwrite the same cookie at logout. The curl client is using a cookie-jar file to store the cookie.
Note, that I'm using the code from Microsoft/ASP.NET Core and haven't done anything particular in the server code, I'm not manipulating the cookie, just a basic SignIn / SignOut which takes care of sending the Set-Cookie command back to the curl client.
With a 7.47.1, it is working fine. After the logout I'm getting the cookie cleaned out from my cookie-jar.
LOGIN 7.47.1
HTTP server response:
* Added cookie cookieModuleXXX="CfDJ8PNMkDZf1-VPjhP1ezVfsxJxlvsx40RiS-..." for domain localhost, path /XXX/YYY, expire 1542884051
< Set-Cookie: cookieModuleXXX=CfDJ8PNMkDZf1-VPjhP1ezVfsxJxlvsx40RiS-...; expires=Thu, 22 Nov 2018 10:54:11 GMT; path=/XXX/YYY; secure; samesite=lax; httponly
cookiejar.txt:
#HttpOnly_localhost FALSE /XXX/YYY TRUE 1542884051 cookieModuleXXX CfDJ8PNMkDZf1-VPjhP1ezVfsxJxlvsx40RiS-...
LOGOUT 7.47.1
HTTP server response:
* Replaced cookie cookieModuleXXX="" for domain localhost, path /XXX/YYY, expire 1
< Set-Cookie: cookieModuleXXX=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/XXX/YYY; samesite=lax
cookiejar.txt: ==>EMPTY
With a 7.61.1, it is failing. The cookie remains in my cookie-jar, hence my session remains opened and active and I can't sign out. A simple change of curl.exe, with the exact same command line, suffices to replicate the issue.
LOGIN 7.61.1
HTTP server response:
* Added cookie cookieModuleXXX="CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_..." for domain localhost, path /XXX/YYY, expire 1542881087
< Set-Cookie: cookieModuleXXX=CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_...; expires=Thu, 22 Nov 2018 10:04:47 GMT; path=/XXX/YYY; samesite=lax; httponly
cookiejar.txt:
#HttpOnly_localhost FALSE /XXX/YYY FALSE 1542881087 cookieModuleXXX CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_...
LOGOUT 7.61.1
HTTP server response:
* Replaced cookie cookieModuleXXX="" for domain localhost, path /XXX/YYY, expire 1
< Set-Cookie: cookieModuleXXX=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/XXX/YYY; samesite=lax
cookiejar.txt: ==>NOT GETTING CLEANED
#HttpOnly_localhost FALSE /XXX/YYY FALSE 1542881087 cookieModuleXXX CfDJ8PNMkDZf1-VPjhP1ezVfsxLH8UB6HEB_...
So basically, Set-Cookie cookieModuleXXX="" is not overwriting and emptying my cookie-jar with the 7.61.1 as it was done in 7.47.1. Am I missing something? Is the new behavior making more sense for a reason I'm not getting?
Thank you,
David.