Re: Delete-Cookie header??

My understanding is that all cookies that can be read by the origin and that have the identified name are deleted.

This means that the domain only matters to the extent that it includes the present origin and the path does not matter.

On Thu, Mar 20, 2025, at 22:52, Rory Hewitt wrote:
> Quick thoughts:
>
> If a client has two same-named cookies with different domains and/or 
> paths, do they all get deleted? For example, they were sent the 
> following Set-Cookie headers from the example.com server:
>
> Set-Cookie: my-cookie=abc; Path=/; Domain=www.example.com
> Set-Cookie: my-cookie=def; Path=/client; Domain=example.com
>
> What happens if the server at example.com sends:
>
> Delete-Cookie: "my-cookie"
>
> Do they both get deleted?
>
> Nit: Section 3 says "These servers could have already deleted these 
> same cookies by setting cookies with identical name, path and domain 
> with an expiration date of 0." Technically, you can pass a max-age 
> attribute of 0 and/or an Expires date in the past, ut an expires date 
> of 0 is invalid...
>
> On Thu, Mar 20, 2025 at 2:22 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:
>> I've published an I-D <https://www.ietf.org/archive/id/draft-deletecookie-weiss-http-00.html> for this. As always, feedback is very much welcome!!
>> 
>> On Sun, Mar 2, 2025 at 9:51 AM Daniel Stenberg <daniel@haxx.se> wrote:
>>> On Sat, 1 Mar 2025, Rory Hewitt wrote:
>>> 
>>> > Do you think that the problem could be solved by a better-written spec or 
>>> > does the whole cookie issue need re-doing
>>> 
>>> I think the spec, including 6265bis, is generally good. I expect most of us 
>>> invididually think there are details in it that can be improved but which spec 
>>> is not like that?
>>> 
>>> I think 6265bis is an improvement and I think it can be improved further. 
>>> Again, like most specs.
>>> 
>>> -- 
>>> 
>>>   / daniel.haxx.se
>>> 
>
>
> -- 
> Rory Hewitt
>
> https://www.linkedin.com/in/roryhewitt

Received on Friday, 21 March 2025 10:00:28 UTC