[Question] How to remove cookies?

[Zerowalker]

I am having some problem figuring out how to remove cookies.

Cause you need to have the cookie in order to remove it, which to me is weird as i would expect to remove it by it's name.
But if you get the cookie beforehand you can't use that cookie to remove it cause of lifetime issues.
Are you supposed to just create a dummy cookie like in the Counter example?

    async fn handler(Extension(cookies): Extension<Cookies>) {
        let key = KEY.get().unwrap();
        let private_cookies = cookies.signed(key);
        cookies.remove(Cookie::new(COOKIE_NAME, ""));
    }

[imbolc]

Hey :)

Yep, a dummy cookie is ok. I see your point, but tower-cookies is just a tokio middleware around cookie crate, I guess they have their reasons for this kind of api. Here's the description of its remove method. Maybe make_removal is what you're looking for.

[Zerowalker]

Hey :)

Thanks for the quick response.
It indeed looks like make_removal is what i am looking for.
Is it possible to expose it from tower-cookies?
same goes for SameSite, cause then one wouldn't need to have the cookie crate in parallel.

EDIT:

Thought make_removal was a separate function, but it was in the cookie itself, so it's already there, my bad.
But then i still use the cookie i grabbed which doesn't work cause of the lifetime right?

[imbolc]

But then i still use the cookie i grabbed which doesn't work cause of the lifetime right?

Right. I don't see an obvious way to fix this. And also I don't remember ever needing make_removal, it feels always easier to just "remove" potentially non-existing cookie (it won't even create unnecessary header if the cookie doesn't exist as there won't be any "delta").

As for removing cookies by name, it certainly feels more intuitive, thank you for the suggestion. Could you review the changes before I merge it: 56a1fc3

[imbolc]

Hmm... I don't think it's a correct approach though as cookie::CookieJar::remove says:

To properly generate the removal cookie, cookie must contain the same path and domain as the cookie that was initially set.

So I guess we should first check if the cookie is there and use its path and domain while removing it just by name.

[imbolc]

I think it's done: #15

@davidpdrsn @programatik29 would one of you guys have a few minutes to review it? It makes it possible to remove cookies by name, thakns 🙏

[Zerowalker]

Oh you work quick.
Good catch with the Path part, otherwise it would be quite prone to "error".

Also, i remove some cookies in my error handler, but i don't know how to use the tower-cookies there as you just get access to the error and make a response.
Is there something i am might be missing you think, or might this just be a special case where i gotta use headers directly?

Thanks:)

[davidpdrsn]

Also, i remove some cookies in my error handler, but i don't know how to use the tower-cookies there as you just get access to the error and make a response.

What specifically do you mean by "error handler"? Do you mean using HandleErrorLayer, because that also supports running extractors. async fn handle_error(cookies: tower_cookies::Cookies, err: axum::BoxError) should work.

[imbolc]

Or in case of a middleware, where you have only a request you can use Cookies::from_request:

tower-cookies/examples/counter-extractor.rs

Line 22 in 3530030

async fn from_request(req: &mut RequestParts<B>) -> Result<Self, Self::Rejection> {

[Zerowalker]

It's a impl IntoResponse for MyError
Perhaps no the correct way to do it?

[imbolc]

Jar is kept in request extensions, so no access to request - no cookies :)

[Zerowalker]

make sense:)
So can i "solve" this by using a middleware or?
The purpose of the error handling is to be able to use Result.
But yeah this is clearly off topic so feel bad taking up even more of your time, so no need to really answer this.

[imbolc]

If you have request where you raise the error, you can process cookies there:

enum Error {
    LogOut
}

impl Error {
    log_out(req: RequestParts) -> Self {
        let cookies = Cookies::from_request(req).await?;
        ...
        Self::LogOut
    }
}

If you don't have the request, you can put something into the response extensions. And then in a middleware you can check the extensions and change cookies. Maybe there's a simpler way of doing this, you can ask in the axum discord: https://discord.com/channels/500028886025895936/870760546109116496

[imbolc]

So I guess we stick with the current behavior :)