Re: Delete-Cookie header?? from Rory Hewitt on 2025-03-21 (ietf-http-wg@w3.org from January to March 2025)

From: Rory Hewitt <rory.hewitt@gmail.com>
Date: Fri, 21 Mar 2025 09:33:54 -0700
To: Martin Thomson <mt@lowentropy.net>
Cc: Yoav Weiss <yoav.weiss@shopify.com>, Daniel Stenberg <daniel@haxx.se>, Willy Tarreau <w@1wt.eu>, Daniel Veditz <dveditz@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAEmMwDy==u1vEGFayX0SWXo=u+a2W8tBuQoW5bsSBBuSgKoM8A@mail.gmail.com>

So the question is, without getting too into the weeds, do we want to allow
the Delete-Cookie header to explicitly specify path, domain etc.?

Since the current spec has the cookie name as a quoted string, then you
*could* have:

Delete-Cookie: "my-cookie; Path=/client; Domain=example.com"

But this is probably getting too detailed and might not add much benefit.

On Fri, Mar 21, 2025 at 3:00 AM Martin Thomson <mt@lowentropy.net> wrote:

> My understanding is that all cookies that can be read by the origin and
> that have the identified name are deleted.
>
> This means that the domain only matters to the extent that it includes the
> present origin and the path does not matter.
>
> On Thu, Mar 20, 2025, at 22:52, Rory Hewitt wrote:
> > Quick thoughts:
> >
> > If a client has two same-named cookies with different domains and/or
> > paths, do they all get deleted? For example, they were sent the
> > following Set-Cookie headers from the example.com server:
> >
> > Set-Cookie: my-cookie=abc; Path=/; Domain=www.example.com
> > Set-Cookie: my-cookie=def; Path=/client; Domain=example.com
> >
> > What happens if the server at example.com sends:
> >
> > Delete-Cookie: "my-cookie"
> >
> > Do they both get deleted?

Received on Friday, 21 March 2025 16:34:12 UTC